Cybersecurity is a sector poised for explosive growth in the next few decades, in Alberta and worldwide. Security is (or should be!) a consideration that intersects with every project, and as such the field of computer security needs to innovate to produce answers that are required by other forward-thinking areas of ICT, such as embedded systems, IoT, SCADA software, blockchain, cloud computing, machine learning, etc. Furthermore, the threat landscape is ever-changing, and malicious actors are constantly innovating, requiring cybersecurity practitioners to always be aware of the state of the art – or even better, one step ahead! This makes it a fertile ground for both innovation and SR&ED (Scientific Research & Experimental Development). This white paper aims at connecting the dots between SR&ED policies and eligibility of projects within the cybersecurity sector.
The Canada Revenue Agency (CRA) is generally receptive to ICT, software, and indeed cybersecurity projects. After all, over half of the SR&ED claims made in Canada are related to software. However, three things can lead to failure when claiming SR&ED in software:
- The technological uncertainty isn’t clearly identified or is considered by CRA to be within the bounds of standard software engineering practices.
- The description fails to communicate a systematic investigation.
- There is insufficient contemporaneous documentation to support the claim.
Furthermore, some activities are excluded from the scope of a SR&ED claim, such as routine data collection, testing, troubleshooting, or debugging when not in support of a SR&ED technological uncertainty. Other activities, such as computer programming, can only be included as supporting work for the project (in other words, computer programming in and of itself cannot be claimed as the core technological uncertainty).
Novelty vs uncertainty
The field of cybersecurity constantly deals with new threats and vulnerabilities, but these do not automatically qualify your work for SR&ED. Just because something is novel and leads to several attempts and failures doesn’t necessarily mean it qualifies; the presence of a technological uncertainty is paramount. Examples of things that are not necessarily SR&ED-eligible are:
- Finding new vulnerabilities using fuzzing;
- Performing dynamic analysis of a new malware;
- Changing your scripts to adapt to a new hardware password cracker;
- Writing a new IPS rule to detect newly-published adversarial traffic signatures;
- Writing PoC code for a newly-published exploit with no public PoC code.
These activities produce new knowledge, but often would fall under routine engineering for highly-qualified personnel. However, there could be situations where existing methods are not enough, and the problem at hand causes you to change your tools and processes. This means that if these activities aren’t themselves SR&ED, they could lead to SR&ED!
On the other hand, new methods, processes, insights, and approaches in the face of a changing threat landscape are more likely to be SR&ED.
Security audits as an example
By now, security analysts and engineers have robust frameworks and considerable public resources at their disposal (vulnerability scanners, payload distribution frameworks, etc.) to conduct security audits of organizational resources. Such an audit, whether you’re contracting or are the contractor, can reasonably be considered routine engineering, even if they uncover new information or vulnerabilities; as such, this is not a SR&ED-eligible expense.
This doesn’t mean there is no potential for uncovering SR&ED projects during or as a consequence of such processes. Did a security audit uncover the need for you to encrypt communications, which then causes significant slowdowns in your application or makes crucial analytics tools unable to get any data? Or did you decide to create a new tool that manages backups more efficiently, or encompasses more data, to speed up the rebuilding process after an attack? Depending on the situation, these might mark a technological challenge with an uncertain path to resolution, which is the beginning of SR&ED.
Advances in the field of cybersecurity are crucial in our endeavors to innovate across sectors. There is likely an opportunity for your organization to claim SR&ED to recoup the cost of innovation in cybersecurity, however the approach taken in your development, the financial complexities of compiling a claim, and the strategy behind structuring your project and technical descriptions require an experienced team. To continue the conversation about cybersecurity, SR&ED, and how we might work together, please book a discovery call with our team.