Fully funded PhD opportunity in public procurement

My good friend Martin Trybus from the University of Birmingham is looking for a Ph.D candidate for his EU-funded Horizon 2020 Marie Skłodowska-Curie Actions Innovative Training Network (ITN) on transatlantic trade and investment. Here's the low down:

"The ESR will work within Birmingham Law School and enrol for a 3-year PhD programme under the supervision of Professor Martin Trybus. The research project has the provisional title “Towards a Transatlantic Public Procurement Market” (details to be agreed between ESR and supervisor).

The objective of the ITN is to foster interdisciplinary research into transatlantic trade and investment. The network will have 15 ESRs at 11 different partners across Europe. The ESR will benefit from a wide-ranging training programme consisting of Advanced Training Courses and topical conferences organised by ITN partners across Europe. The ESR will contribute to ambitious and carefully planned research, outreach, impact and dissemination activities benefiting from the expertise of world-leading senior academics. Planned secondments (to be confirmed) include the University of Turin (work with co-supervisor Professor Roberto Caranta), George Washington University in Washington DC, the International Training Centre of the International Labour Organisation in Turin, Baker McKenzie in Berlin, and CEPS in Brussels."

This is a great opportunity for those of you wanting to do a Ph.D in procurement. Martin is great to work with and so is Roberto Caranta, both of which I can vouch for having known and worked with them over the last 6 years on the European Procurement Law Group.

How to go about and do real world experimentation in procurement

Albert put the ball rolling (or kicked the hornets' nest, depending on the perspective) yesterday by calling for more experimentation in public procurement. He is putting a finger on a particular wound - innovation in public procurement - and my comments (for now) can be found on this twitter thread:

There is a lot more to be said about the topic, but that is my hot take for now.

New paper: The European Single Procurement Document

This paper will show that the European Single Procurement Document (ESPD) introduced by Directive 2014/24/EU and Commission Implementing Regulation 2016/07 constitutes a paradigm shift on how public procurement procedures are run in the EU and one with unintended consequences. Before its introduction, each economic operator wishing to take part in a public procurement procedure had to submit all qualifying information at the start of the procedure. This mean incurring in transaction costs that are certain to have the opportunity of an uncertain benefit: winning the contract. The ESPD alters the balance of power (and costs) by replacing the full documentation requirement with a simple self-declaration form, aiming for a reduction in transaction costs and the removal of a barrier to the participation of economic operators in public procurement procedures. It is unclear if in reality its use will amount to savings in transaction costs or if those will actually increase and if the change in incentives may lead to more strategic non-compliance by economic operators and reduced legal compliance by contracting authorities, which may be tempted to overlook at least minor shortcomings by winning bidders.

The paper is published on the most recent issue of Upphandlingsrättslig Tidskrift journal.

Commission publishes ESPD review

The Commission has just put out its European Single Procurement Document review covering what has been done so far to get it to work and what is the current status of its implementation. The report makes for grim reading with most Member States still fumbling their way around with the majority using the paper version (!) at the end of 2016.

The Commission suggested that the current electronic ESPD service provided by itself is a transitional measure (I assumed as much in my paper about the ESPD) but the fact that 16 Member States are still using it instead of implementing national versions is worrying, since it now anticipated the electronic ESPD system will be shut down after April 18th 2019. On a more positive note, Bulgaria, Croatia, Denmark, Latvia, Lithuania, the Netherlands and Romania have made the use of the ESPD also mandatory for contract below-thresholds, with Hungary, Italy, Slovenia, Slovakia and Spain accepting their use without it being mandatory.

As expected, most countries are woefully behind when it comes to integrate databases where data that feeds into the ESPD may be accessed and until that happens, the real benefits of the system will not be felt. Nonetheless, the Commission claims Denmark and Croatia have been able to quantify the benefits (I would love to see the research and data) while no "Member State has tried yet to quantify the benefits deriving from a reduced administrative burden for buyers." Again, that will take a while and a painful adaption period.

While criticism by some Member States, suppliers and buyers is briefly mentioned, the report is silent on any particular difficulties in implementation or improvements necessary. As for the drawbacks, yesterday's post gives a flavour that is missing from the Commission's report.

 

 

Business model implications of the NHS ransomware attack

Blame the Business Model

Still, even if the U.S. government is less to blame than Smith insists, nearly two decades of dealing with these security disasters suggests there is a systematic failure happening, and I think it comes back to business models. The fatal flaw of software, beyond the various technical and strategic considerations I outlined above, is that for the first several decades of the industry software was sold for an up-front price, whether that be for a package or a license.

This resulted in problematic incentives and poor decision-making by all sides:

Microsoft is forced to support multiple distinct code bases, which is expensive and difficult and not tied to any monetary incentives (thus, for example, the end of support for Windows XP).
3rd-party vendors are inclined to view a particular version of an operating system as a fixed object: after all, Windows 7 is distinct from Windows XP, which means it is possible to specify that only XP is supported. This is compounded by the fact that 3rd-party vendors have no ongoing monetary incentive to update their software; after all, they have already been paid.
The most problematic impact is on buyers: computers and their associated software are viewed as capital costs, which are paid for once and then depreciated over time as the value of the purchase is realized. In this view ongoing support and security are an additional cost divorced from ongoing value; the only reason to pay is to avoid a future attack, which is impossible to predict both in terms of timing and potential economic harm.

The truth is that software — and thus security — is never finished; it makes no sense, then, that payment is a one-time event.

Ben is on the right track when arguing that the lack of alignment of business models is at the heart of the problem. However, the problem itself is more complex than Ben perhaps realises since many of the "computers" affected by last week's attack are not "computers" in the traditional sense of the word, but medical devices where the software is embedded as part of the whole widget. As such, his proposed solution does not address the problem within the medical context.

Medical devices such as MRI scanners have a lifecycle that does not necessarily match that of the embedded software. For example, Microsoft sold Windows XP until 2008 and supported it until 2014. MRI scanners have a lifecycle of 10-12 years (and I have been on a few older ones myself...), so a scanner built in 2008 using Windows XP would only have its software supported for half of its lifecycle. Now you may ask why on earth a vendor would still be selling products with Windows XP in 2008 but that is due to the high certification costs of medical equipment (no one wants a repeat of the Therac-25 disaster) and the "shelf life" of those machines: new MRI scanners are not designed every year like an iPhone, so companies have the incentive to sell existing models for as long as possible to defray the development costs through a larger number of units sold. Plus, since software is embedded in the machine there is usually no competitive pressure applied to it itself (if you doubt me, check you car entertainment "software" and compare it with your smartphone).

The above is the main reason why Ben's proposed business model of Software As a Service would not work within the context of the NHS attack: Microsoft does not have a commercial relationship with the final acquirer of the machine, but with the vendor, therefore Microsoft's business model is irrelevant to change reality at the proverbial coal face. Even if Microsoft supplied its software under a SaaS model, there are currently no incentives for the device manufacturer to actually incur the certification costs of pushing it to the machines in use (another smartphone example: how many Android smartphone vendors actually update hardware that has already been sold to new versions of the OS?).

How do we align the business models then?

It is possible to align the business models in two different ways. First, by changing the way the way those devices are acquired by hospitals and NHS trusts. Second, by extending the liability of the manufacturer.

An easy way to look at aligning the incentives of different business models would be to lease instead of outright buying the medical devices where possible, thus transforming a capital expense into an operational one (as suggested by Ben). With the right contractual incentives in place (ie that the embedded software must be kept up to date at least in what concerns security patches) it would be possible to create in the device vendors the incentive to keep their machines secure.

A fancier approach is to follow the example I saw in Spain when doing my Ph.D research. At least one regional health board was doing public-private partnership (PPP) contracts with medical equipment providers. In practice this ends up being quite close to Ben's suggestion of SaaS but with hardware instead. For a period of up to say 12 years the public sector was "buying" the availability of imaging equipment in their premises from a vendor.

What made those contracts so interesting is that they included upgrade clauses, so that when a new machine was released, those in service needed to be replaced with the new model, creating in the vendor an obligation to cascade updates to the customer during the whole lifecycle of the contract. I am not aware that they covered software updates although maintenance and servicing were included. Even if they did not, it is conceivable to design future contracts as to include software updates for machines in service.

A different avenue would be to attack the problem from vendor liability perspective, which may also be valid under the current contracts or could spring from raised awareness of the potential liability implications from last week's ransomware attack.

Bottom line

It is possible to conceive contractual and legal solutions that solve (most) of the alignment issue between vendors of medical devices and their clients going forward. What remains to be seen however is what will happen with the existing machines. Surely vendors would be delighted to replace them all, but will the courts consider that they owe a duty of care of sorts towards the users to keep them updated during a certain period of time and to provide access to the source code once they reach "end of life" support? One may dream.

Unintended consequences of using procurement as a compliance tool

About 10 days ago I gave a presentation at the CEVIA conference in Copenhagen (slides here)on how public procurement in the EU was slowly but surely being transformed into a compliance tool or enforcement system for policy objectives. 

As it happens I have also just published a paper on the ESPD* and how it internalises in the contracting authority the compliance cost which until now had been pushed out to the market via the requirement of presenting documentary evidence. Collecting all those documents and information, turns out, is not free as perhaps contracting authorities would have thought.

Today, Hansel - the Finnish Central Purchasing Body - published a blogpost aptly entitled Sometimes I feel like I am Sherlock, which included the following section:

Where it was assured that the ESPD would reduce the amount of attachments, it also included a brand-new requirement derived from the directive. As a part of the mandatory exclusion grounds set for the tenderers, they must ensure that the tendering business or any person who is a member of its administrative, management or supervisory body or has powers of representation, decision or control therein been the subject of a conviction on crimes such as corruption, fraud, terrorism and child labor etc. The contracting authority must also check the criminal records of such people from the tenderer which has been selected as a supplier. At this stage I wanted to cry a bit.

Are we becoming the procurement police?

I understand that this is an important feature. It would be nasty if the public sector would fund criminal operations through procurements. But what I don’t understand is why is checking these things the responsibility of the contracting authorities? How does making procurement units Sherlocks help the EU to reduce the black market? Do we not have any other means to prevent criminals from operating businesses’ in general?

I have completed many tender processes now where the ESPD and its requirements have been in use. The checking of the criminal records requires skills in Finland. The process consumes resources from both the private and public sector operators. The businesses’ must first ask permission in writing to retrieve the records from all the people involved. The records cannot be copied or sent via regular email. The contracting authorities can only check the records, but they can’t restore them anywhere. The records should be either destroyed, or returned to the sender. Due to the complex nature of this process, the tenderers are starting to prefer a visit the contracting authority to show the original records physically instead of exploiting the benefits of digitalization.

The rest of the entry is self-recommended but touches rightly on the nerve of the unintended consequences arising from making procurement a bona fides enforcement proxy and lack of consideration for transaction costs. We, the procurement police.

 

*Will give out SSRN link as soon as paper is up on there.

The procurement angle behind the NHS ransomware attack

Last week's (and today's?) ransomware attack on the NHS has a procurement angle to it. It is not the only one and maybe not the most important but procurement mattered nonetheless. Here's why:

1. Vendor lock-in

All compromised computers ran either Windows XP (unsupported) or more recent versions that have not been patched up to fix the vulnerability. There maybe very good reasons for both situations, such as critical systems depending on software available only for Windows XP; medical devices only having drivers for Windows XP; uncertainty if patching would create problems elsewhere.

Those are all valid reasons to have both XP and more modern unpatched computers. They are, however, a good example of what happens when public sector falls prey to vendor lock-in. By throwing its lot with Microsoft and equipment vendors that only support a legacy OS like XP, the NHS is no longer in full control of its decision making. It cannot decide when to patch, what to patch or when to ask another supplier to step in and help solve any problems. The NHS is at the mercy of those external players which do not have their interests aligned. Microsoft wants to sell Windows 10 copies, medical device vendors want to sell more modern machines. Even if medical device vendors have support contracts for their equipment, those may not include software updates (remember Windows XP is 15 years old) or it may not be technically feasible to update the software on those devices to make it compatible with newer versions of Windows.

I have long harped about the risks arising from possible vendor lock in on innovation contracts, but current lock in is surely a lot more important in practice. In addition, last week's attack is also another example of the risks of accepting commercial secrecy as a given in public contracts.

2. The XP support contract

Microsoft stopped Windows XP mainstream support in 2014, and started charging organisations significantly sums of money to keep issuing patches for XP with consultancy/service contracts. The UK Government had a £5.5M contract with Microsoft for a year of support:

“We have made an agreement with the Crown Commercial Service to provide eligible UK public-sector organisations with the ability to download security updates to Windows XP, Office 2003 and Exchange 2003 for one year until 8 April 2015,” said a Microsoft spokesperson.

The UK's custom support agreement was not renewed or extended in April 2015, perhaps due to the costs involved: allegedly Microsoft double the cost from $200/machine to $400/machine and perhaps the UK Government was unable to negotiate a reduction on unit costs. Perhaps they even did not know how many computers in the public sector needed patching, making any negotiation difficult. As a comparison, the US Navy was paying Microsoft $9.1M for support until July 2016 and the extension for 2017 would have increased the cost once more.

From April 2015 onwards, all UK public sector XP machines became proverbial sitting ducks. The magnitude of the problem for the NHS was known since September 2016, when the Motherboard published an article based on a FoI request:

Motherboard has found that at least 42 National Health Service (NHS) trusts in England are still using the Windows XP operating system, with many of them confirming that they no longer receive security updates for the software. Legal experts say that the NHS hospitals may be in breach of data protection regulations.

As it happens the attack hit between 40 and 48 NHS trusts in England and I am sure that is not a coincidence. I suspect there is a significant overlap between those that were still using XP in September 2016 and the trusts hit last week.

I am not a data protection expert but would not be surprised if those Trusts were in violation of their obligations and remain less than assured about personal medical data having been stolen not in this attack but by others exploiting the same vulnerability since it was disclose over a month ago.

3. (Dis)Organisation and competing priorities

The final procurement angle is one of disorganisation and competing priorities. Having a decentralised health system in a day and age where IT is becoming more complex (and expensive) to manage well is a disaster (or two) waiting to happen. Procurement itself is becoming ever more complex - partly because of rules, partly because of bolt on policies, partly because of what is being procured is becoming more complex as well - and those two should dictate a move to a more centralised model.

I am not claiming that centralisation would magically solve the problems (funding would remain an issue) but that at least makes it possible to have somewhere the necessary expertise to do procurement and IT well. As it stands we expect each and all NHS trust to have that (and more) expertise on tap at any given moment. Since complexity is just going to increase (smart medical devices anyone?) the future looks grim.

Finally, time and time again I have seen IT managers pleading for resources to secure networks and/or upgrade/test their equipment. It is always a tough sell as the key decision makers simply do not understand the risks and what is at stake, preferring instead t allocate resources to priorities they understand and where they understand risk/consequences. Maybe on the NHS that will change going forward.

PS: A bit of perspective is important though. Let's not forget that those institutions have been victims of an attack, which may well constitute a criminal activity. If we should not blame victims of other crimes, the same standard should apply to the institutions involved on this.

Are UK contracting authorities publishing contract award information?

The answer is: not all and not all of the time irrespective of the clear legal commands to do so. OpenOpps looked into the practice for contracts published on ContractsFinder and this is what they found out:

On average, central government departments had 23% of tenders incomplete. For example, Department for Education has issued 70 tenders and just 43 contract awards (39% incomplete) and the Department of Health has issued 101 tenders and only 33 contract awards (67% incomplete). The better performers were FCO Services and the Department for Transport. FCO Services has issued 187 tender opportunities on Contracts Finder, but published 186 contract awards (only 0.5% incomplete). The Department for Transport has published 97 tender opportunities and 94 are complete (4% incomplete).

As I suspected, local Government is a lot worse:

This trend of leaving tenders incomplete is less greater in local government where, on average 65% of the notices are incomplete. According to our analysis, 114 local government publishers of tender notices have never published a contract award notice, whilst only 37 local government publishers had published all of their contract awards notices, and 17 of these had published just one tender notice and one contract award. Clearly, the lack of contract award notices is not the only issue, low publishing numbers are also a problem. For example, Cambridgeshire County Council managed to publish just five tenders into Contracts Finder, when they’ve managed to publish 173 tender notices elsewhere since January this year.

As the data analysis was done only on ContractsFinder it is possible that for contracts above the EU thresholds contracting authorities are complying with the requirement to publish the results instead on the Tenders Electronic Daily.

Links I Liked [Public Procurement]

1. World Bank starts MOOC on PPPs (French only). Older English version here. I sincerely hope they cover also the downsides of PPPs.

2. 18F publishes beta website with US Government spending. Now if only we would do the same in Europe...

3. Night bus service in Barcelona to be re-tendered (Spanish only). Never understood why the night bus service in Barcelona uses different buses from the day ones. All that capacity sitting idle during the day? Makes no sense.

4. Just Another Paperclip? Rethinking the Market for Complex Public Services. Good report by Gary Sturgess.

5. An Exercise in Underachievement–The UK’s Half-Hearted Half-Measures To Exclude Corrupt Bidders from Public Procurement. Talk is cheap.

How expensive has defence procurement become in the US?

'A lot' appears to be the answer:

According to the Government Accountability Office, cost overruns have ballooned to more than $450 billion over the past two decades. The Navy needs to take authority back from the bureaucracy, end the culture of constant design changes and gold-plating, and bring back fixed-price competition.

Recall the development of the Polaris nuclear-missile system in the late 1950s. The whole package—a nuclear submarine, a solid-fuel missile, an underwater launch system, a nuclear warhead and a guidance system—went from the drawing board to deployment in four years (and using slide rules).

Today, according to the Defense Business Board, the average development timeline for much less complex weapons is 22.5 years. A case in point is the Ford-class aircraft carrier. The program is two years delayed and $2.4 billion over budget.

and more:

Yet the defense firms involved still profit under cost-plus contracts. The three stealthy Zumwalt-class destroyers—they are really heavy cruisers—are another example.

The defense bureaucracy produced a seagoing camel costing three times its original estimate and delivered with questionable seaworthiness and without functional radar or a reliable propulsion system.

Both quotes come from John Lehman, US secretary of the Navy under President Reagan.

Note the push-back against cost-plus contracts and how they provide economic operators with the incentive to keep the costs ticking even if they are not necessarily making a profit (helps soak up capacity, cashflow management etc).

Revising the Commentary to the Public Contracts Regulations 2015

Myself and Albert published our consolidated Commentary to the Public Contracts Regulations 2015 late in 2016. The current version was mostly based on the blogposts we wrote back in 2015 and we just updated the content in very specific areas as we were working on a very tight timeframe and with plenty of competing priorities. We are delighted with the fact that it already attracts almost 1,000 unique visitors/month (971 as of today).

The commentary itself is quite long - 98,200 words in fact - and we are certain some entries could do with a brush up, cleaning and also some updating of ideas and concepts. We would like to review a maximum of 5-10 entries this Summer and as our time available is limited (as usual) we need to focus where there is more interest/need for improving.

Checking the logs for the last 6 months it seems that people are using the following entries the most:

- Regulation 59 (ESPD)

- Regulation 57 (Exclusion Grounds)

- Regulation 33 (Framework Agreements)

- Regulation 72 (Contract Modifications)

- Regulation 24 (Conflicts of Interest)

- Regulation 37 (Centralised Purchasing Activities)

We may focus our attention on these or others, although it is clear that at least the ESDP will get a good seeing to as I have just written a paper about it.

As for the rest of our effort, which entries would you like to see us revisiting?

 

Brussels cannot "freeze Britain out of EU contracts"

The Financial Times ran a piece yesterday arguing a Commission internal memo contains instructions for: "[w]here legally possible, the commission and its agencies will be expected in all activities to “take account” of the fact that Britain may be “a third country” within two years, including in appointing staff and in awarding billions of euros of direct contracts for research projects or services." I had not problem calling out some wrongheaded and/or illegal suggestions on this side of the Brexit divide. In the interests of fairness (and equal treatment) I have no problem doing the same for the EU-side as this is another example of what I call the unravelling of EU law compliance on the run up to Brexit.

While it is true the UK triggered Art. 50, triggering the process does not affect any rights or obligations for the UK until its departure from the Union occurs and vice-versa. That is, for all intents and purposes the UK is as much a Member State today as it was on March 28th and entitled to not be discriminated against. Furthermore, the jury is still out if the Art. 50 process itself is reversible.

And yet, yesterday's news makes for uncomfortable reading. Albert pointed out on his commentary to this memo that both the Member State and the EU Institutions are subject to Art. 2 TEU and the rule of law. The fact that such a basic feature of the system needs to be pointed out (correctly) is a very worrying sign.

In this sense the (EU) law is simple: until the UK effectively departs the EU, nothing changes and UK-based economic operators cannot be discriminated against (either at tenders conducted by EU Institutions or in other Member States). If they are, they would have clear grounds to call for judicial review of the award decision.

On a related note, I recall a leading (British) academic privately arguing non-compliance with rules that are subsequently changed should go unpunished (in the context of the UK non-compliance with some EU procurement rules that were changed afterwards). Coming from a civil law background such cavalier interpretation to legal obligations/rule of law has always puzzled me. I shall keep an eye to see if said colleague's opinion has evolved now that it directly affects UK economic operators.