:
I'd like to call the meeting to order.
I want to extend to everyone here a very warm welcome. We have a large crowd here this morning, so hopefully everyone is comfortably seated and in their places.
Ladies and gentlemen, we are here today, pursuant to Standing Order 198(3)(g), to discuss chapter 1, “Safeguarding Government Information and Assets in Contracting”, of the October 2007 Report of the Auditor General of Canada.
We are pleased to have with us the Auditor General of Canada, Sheila Fraser. She is accompanied by the assistant auditor, Ronnie Campbell; and principal, Bruce Sloan.
From the Department of Public Works and Government Services we have the accounting officer, François Guimont. He is accompanied by Jane Meyboom-Hardy, the assistant deputy minister; and Gerry Deneault, the director general, industrial security sector.
From Defence Construction Canada we have Mr. Ross Nicholls, president and chief executive officer.
From the Department of National Defence we have Scott Stevenson, acting assistant deputy minister. We have Major-General Glynne Hines, chief of staff, assistant deputy minister, information management; and Lieutenant-Colonel Dave Shuster, director, deputy provost marshal, security.
From the Treasury Board Secretariat we have Mr. Ken Cochrane, chief information officer. He is accompanied by Mr. Pierre Boucher, senior director, identity management and security.
As I said, we have a very large crowd. They're not all at the table, but they can be called to the table should the need arise. Hopefully everyone is ready to go.
Mr. Williams.
We thank you for this opportunity to present the results of chapter 1 of our October 2007 report, entitled “Safeguarding Government Information and Assets in Contracting”.
Joining me today are Ronnie Campbell, assistant auditor general, and Bruce Sloan, senior principal, who were responsible for this audit.
The Government of Canada's ability to protect sensitive information and assets it entrusts to Canadian industry is critical to ensuring the health, safety, security, and economic well-being of Canadians, both at home and abroad. This ability is also important for maintaining Canada's international reputation and ensuring the continued growth of international trade.
[Translation]
We found serious weaknesses at almost all levels in the processes set up to ensure the security of government information in assets entrusted to industry. These weaknesses range from incomplete policies, an unclear mandate, poorly defined roles and responsibilities for industrial security, to a willingness of some officials to circumvent key security procedures in order to reduce costs and avoid delays in completing projects.
We found that many who play a role in industrial security are not sure of their responsibilities. All stages of the process rely on the assumption that the proper procedures were followed at the earlier stages, but there are few mechanisms to provide assurance that this is so.
[English]
As a result of weaknesses in the system, many federal contracts providing access to sensitive government information and assets have been awarded to contractors whose personnel and facilities had not been cleared to the appropriate security levels. These include a number of contracts awarded by the Department of Public Works and Government Services on behalf of other government departments, and thousands of contracts for national defence construction and maintenance projects awarded by Defence Construction Canada.
Of particular concern was the failure by officials at National Defence to properly incorporate contract security requirements for the construction of the above-ground complex in North Bay, Ontario. Contracts for this project were awarded by Defence Construction Canada to unscreened contractors. As a result, Canadian and foreign workers had virtually unlimited access to the construction plans and the construction site.
[Translation]
I am pleased to note that Defence Construction Canada has begun to address some of the issues raised in our report. We received a detailed management action plan that outlines the actions the entity will take to address our recommendations. The committee may wish to ask the entity about the progress it has made.
National Defence has also provided us with an action plan to address our recommendations. The committee may wish to ask the department what progress has been made to date and what steps have been taken to ensure that the NORAD above-ground complex can be used for its intended purpose.
PWGSC's Industrial Security Program plays a major role in ensuring that contracts with security requirements comply with the government security policy. We found that the program's operating procedures were in draft form and did not cover key activities essential to ensuring security in contracting . In addition, the program did not have stable funding, thus limiting its ability to hire and retain enough qualified security professionals.
[English]
I'm very pleased to note that Public Works and Government Services Canada has provided us with its management action plan. Although we have not audited the plan, we did review it. We believe that if it is carried out, the plan should address the concerns raised in our report. The committee may wish to ask the department about its strategies and the progress it has made to date, particularly its progress in obtaining stable funding for the program.
We found that the government did not know to what extent it is exposed to risks as a result of less than adequate industrial security. A concerted effort to strengthen accountability, to clarify policies, and to better define roles and responsibilities for security in contracting is required to help reduce these potential risks to the national interest.
Mr. Chair, this concludes my opening statement. We would be pleased to answer any questions the committee members may have.
Thank you.
:
Thank you very much, Ms. Fraser.
Before going to Mr. Guimont, I want to point out that we were exceptionally late starting this meeting, so I plan to go until a quarter after one due to the importance of the meeting.
I understand, Mr. Guimont, you have an opening statement. Go ahead.
:
Mr. Chair, members of the committee, thank you for this opportunity to appear before you today.
The Industrial Security Program plays an important role in keeping government information and assets secure when these are entrusted to the private sector as a result of a government contract. In a nutshell, we do this by screening individuals and firms for all contracts for which PWGSC is the contracting authority, and when requested by other government departments exercising their own contracting authority.
The program processes about 2,000 security-related contracts a year, 75 % for which PWGSC is the contracting authority. We carry out this role for federal contracts and for contracts awarded to Canadian firms by the foreign governments with which we have security agreements.
While PWGSC is not the only department to perform contract security functions, as the main purchasing arm of the Government of Canada we handle many large contracts involving sensitive information and assets.
I was briefed on the initial observations and findings of the Auditor General last June, shortly after I began my duties as deputy minister of PWGSC. As the accounting officer, I took these observations seriously and began work in earnest to address the concerns raised. We did not wait until the Auditor General tabled her report.
[English]
Let me say before going any further that we agree with all of the Auditor General's recommendations. Our action plan has been reviewed by the Auditor General and tabled with the committee. It has four key elements that directly address her concerns.
First, we instituted a certification process to ensure that client departments clearly identify for every contract request whether there is a security requirement or not.
Second, we completed and issued an industrial security standard operating procedure that has been in draft form, and we train our people to ensure it is consistently followed.
Third, the industrial security program's information and technology systems were certified as mandated under government security policy.
Fourth, our business continuity plan now calls for daily, rather than weekly, backup of our security data.
Furthermore, recognizing the program's importance, we took additional steps. The program is undergoing an independent third party management review of its mandate, roles and responsibilities, and program delivery to be completed by March 31. IT upgrades are being made to improve the exchange of information between the department's contracting and security systems. And an advisory board comprising senior officials with experience in the security area has been struck to provide advice on the direction and policies of the program and to advance coordination and improvement of contract security across government. It held its first meeting in January.
We are also conducting a detailed review of all 3,000 current contracts with security requirements to verify that the program has fulfilled its security obligations. This review will be completed some time in August.
[Translation]
Finally, on the issue of resources to fully carry out the program's activities, the department has, year over year, reallocated resources on top of the existing base. In 2007-2008, an additional $11.2 million was allocated to contract security-related activities.
I am working diligently with my colleagues at Treasury Board Secretariat and the Privy Council Office to secure an increase in our permanent funding base for the program.
Thank you, Mr. Chair. I would be happy to answer your questions.
:
Mr. Chair, honourable committee members, I am very pleased to be able to speak to you today. As some of you are not very familiar with Defence Construction Canada, I would like to take this opportunity to tell you a bit more about the company.
[English]
Defence Construction's mandate pursuant to the Defence Production Act is to deliver defence projects related to physical infrastructure. The corporation's been doing this for 56 years and has developed a recognized expertise in real property contracting, contract management, and in certain related areas.
Defence Construction supports the Canadian Forces and the Department of National Defence in meeting their operational requirements at site, across Canada and abroad. We currently have an office in Afghanistan supporting the mission there.
The management of industrial security for defence projects is a joint responsibility of National Defence and Defence Construction. We are accountable for ensuring the security of sensitive information and assets once the security requirements have been identified by the Department of National Defence. The corporation has always implemented measures consistent with the government security policy to safeguard those assets and information.
Furthermore, we have agreed with Treasury Board Secretariat to apply the government security policy to all our operations related to the delivery of defence projects. Defence Construction uses the industrial security division of Public Works and Government Services Canada to provide the contractual clauses appropriate for identified security requirements and to process clearances for individuals and firms that are contracted to work on defence projects.
Defence Construction proactively implemented procedures to strengthen its management of industrial security during the Auditor General's audit activity. When the report was published, we accepted her recommendations to further strengthen the security management framework.
As Madam Fraser pointed out, Defence Construction shared with her its action plan to deal with her recommendations, and the plan was made available to the committee in advance of this meeting.
I would be very pleased to discuss our progress against this plan or any other aspect of the report that interests members. I'm confident that Defence Construction does its part as an integral member of Canada's defence and security team to safeguard sensitive assets and information related to defence projects.
Thank you.
:
Thank you, Mr. Chairman.
Mr. Chairman and members of the committee, thank you very much for the invitation to brief you today on the Department of National Defence's response to the Auditor General's October 2007 audit of security and contracting.
As you know, my name is Scott Stevenson and I'm the acting assistant deputy minister for infrastructure and environment. I'm joined today by Major-General Glynne Hines, the chief of staff of the information management group at National Defence, and our departmental security officer, Lieutenant Colonel Dave Shuster.
As you know, the audit contained two recommendations directed at National Defence. The first recommendation involved ensuring that our industrial security policies and procedures are up to date and complete and that they accurately reflect our roles and responsibilities under government security policy.
[Translation]
The second recommendation states that we should establish an integrated framework for managing industrial security on defence projects.
In the time given me today, I would like to give you an outline of the measures that have already been adopted by National Defence to follow up on those two points.
[English]
We have already drafted a new industrial security chapter for our departmental security manual. At the same time, our departmental security officer is working with stakeholders within the department and other government departments to ensure that our adjustable security policy and procedures are consistent with government security policy.
Mr. Chairman, this will help to address any current misconceptions or ambiguities on the part of project authorities.
[Translation]
We have also reviewed our procurement administration manual, which details our departmental procurement procedures. The responsibility of procurement and contracting authorities to identify security requirements in any procurement activity has been explicitly defined. These changes will also be reflected in our project approval guide.
[English]
To ensure coherence within the department, we have established a working group, co-chaired by senior managers responsible for material acquisition and construction, to ensure that our procurement policies and procedures are both workable and consistent with government security policy.
In order to improve security awareness at all levels, we are developing a new unit security supervisor course, which will include an industrial security module. The information contained in this module will be widely communicated across the department, which will further mitigate any potential misunderstanding or misapplication of the departmental security policy and the procedures relating to the contracting process.
[Translation]
The department has initiated staffing action to improve oversight and compliance with our industrial security program. The additional manpower will permit us to implement a regular verification program, and we are also investigating improvements to our information systems in order to enhance oversight.
[English]
Finally, we are working with Defence Construction Canada, which acts as the contracting authority for the majority of defence construction projects, in order to develop an integrated framework to ensure that security requirements are met during all phases of the contractual process.
I have just outlined a number of specific actions the department has undertaken or will undertake to address the concerns raised by the audit. I can assure you that the Department of National Defence is committed to ensuring that sensitive information and assets entrusted to industry through contracting are properly safeguarded. As a result of the Auditor General's report, the Department of National Defence is making significant improvements to our security provisions.
Thank you, Mr. Chairman.
:
Thank you, Mr. Chair, and good morning, committee members.
Thank you for the invitation to appear before your committee today to discuss the Auditor General's chapter on safeguarding government information and assets in contracting.
In chapter 1 of her 2007 report, the Auditor General makes several recommendations aimed at the Treasury Board Secretariat. We have taken action to address those concerns through our review of all management policies, known as “policy suite renewal”. My remarks today will highlight the progress we are making in this matter.
As part of policy suite renewal, the policy, standards, and guidelines on government security are currently under review, which should be competed before the end of this year. We are addressing the Auditor General's recommendations under three overarching themes.
Firstly, the new government security policy will clarify the requirements under the standard on security in contracting. This will ensure that the project authorities who originate the contracts will be the ones who certify the security requirements needed. By putting the burden of certifying the security requirements on the originator versus the contracting authority, we will increase the accountability of the group requesting the service, which has better knowledge of the specific security requirements.
Secondly, responding to another important recommendation of the Auditor General, the Treasury Board Secretariat will also require that departmental security officers implement quality assurance procedures. These procedures will be put into force by all departments and agencies and will provide for the ongoing review of contract files to ensure that they meet industrial security requirements.
Thirdly, through the renewed government security policy, standards, and guidelines, the Treasury Board Secretariat will ensure that deputy ministers have the information they need to satisfy themselves that they are fulfilling their accountabilities under the policy. Furthermore, the Treasury Board Secretariat has added an indicator under MAF, the management accountability framework, to assess the compliance of departments and agencies with security requirements.
The management accountability framework now provides for the assessment of departments' performance and effectiveness in safeguarding information, assets, and employees, as well as in ensuring the continued availability of critical services. We will assess key policy elements and ensure that security programs and systems of coordination are in place across government and that they are being administered effectively.
As we move forward in developing our new policy and standards, we are working closely with institutions to clarify requirements and guarantee that sound management practices for safeguarding government information and assets in contracting are in place.
This concludes my remarks. At this time, I would be pleased to answer questions that the committee has.
:
Mr. Sweet, I believe the staff is in the process of handing them out. You should have them momentarily. It's unfortunate that the meeting ahead of ours went over time.
I want to thank all the presenters. We're going to start with the first round of seven minutes.
Before we start, I would again urge all members of the committee to keep their questions relevant and to the point, and I urge all witnesses to keep their answers concise and relevant to the question being asked.
Mr. Wrzesnewskyj, you have seven minutes.
I note that in chapter 1, exhibit 1.1, the Auditor General lists off the roles and responsibilities for security in contracting, and that every government department appoints a departmental security officer to establish and direct a security program.
Mr. Shuster, would you be that individual in Defence?
She went on to state that you would conduct active monitoring and internal audits of security programs, including security in contracting, and report the results to the Treasury Board of Canada Secretariat.
Now, Ms. Fraser, on page 2 of your report, under the subheading, “What we found”, you stated that during one major project you found a willingness on the part of National Defence officials to circumvent key security-related procedures. Later in the chapter, you refer to the NORAD above-ground project. Is that the one you're referring to?
:
If I may, because we are short of time, I'll just jump back to Mr. Shuster.
Mr. Shuster, you are in charge. You are the officer in charge, and in paragraph 1.73 the Auditor General says that since 2002, out of 8,500 projects, 99% have not provided security checklists.
How did that slip by you, or will you refer this back to Mr. Hines?
:
Mr. Chairman, if I may respond to that and help put the question and the observation about the 8,500 contracts between 2002 and 2007 into context, National Defence has more than 20,000 buildings, more than 13,000 works, and more than 5,000 kilometres of roads, so the construction and upkeep of those are what generates the volume of contracting.
A fraction of that has a security requirement, and I can tell you, sir, that as part of the action plan to follow up on the audit, we're reviewing those contracts to determine where there may have been any weaknesses in terms of security procedure and in fact in terms of security impacts, and so we're following up on those.
Good day to you all.
Madam Fraser, on page 3 of your report, in the section entitled “What we found”, it is stated that:
They also include thousands of contracts for national defence construction and maintenance projects across Canada awarded by Defence Construction Canada [...] It is not known to what extent government information and assets may have been exposed to risk and who is accountable for that risk.
What is stated in that paragraph is quite significant. If you do not know the extent of the risk, that means that Defence Construction Canada and the defence department were not able to give you the information that would have allowed you to assess whether there were risks or not. My predecessor spoke about the construction of a NORAD centre in North Bay. This all appears to be of some concern.
From the responses you have received to date, what has led you to conclude that there was no risk? Are there still risks out there? Is that something you can eliminate?
:
Thank you, Mr. Chairman.
In the course of the audit, we noted that for the majority of construction contracts, the check list or security control list had not been completed. That was not a requirement. We believe that an analysis must be done and that there needs to be some form of assurance that an analysis was conducted. However, someone decided that additional security measures were not needed. In fact, we do not know why there is no check list; it could be because additional security measures are not needed or because of an oversight.
There was some confusion between the roles and responsibilities of Defence Construction Canada and those of the department. Who is truly responsible? Today, the corporation indicated that the responsibility to determine the security needs rested with National Defence, and that they, obviously, build according to the plans and requirements set out by the department.
We recommend that the check list be completed for all projects and that, even in those cases where there are no additional or heightened security needs, that be clearly indicated, in order to ensure that someone has reviewed the project and then come to that conclusion.
We reviewed the action plans and they seemed to be appropriate. If the measures are taken, they will satisfy our recommendations. Of course, we will have to conduct an audit at a later date to ensure that the actions have indeed been implemented.
:
My next question is for National Defence officials.
In the same report, the auditors indicated that National Defence was concerned that the lengthy security authorization process might delay the awarding of contracts, and therefore their completion. That is what some people told the Auditor General. You can read that in section 1.77. What is the policy at the Department of National Defence? Should security not come before everything else? National Defence officials say they fear it might delay the work, but it seems to me that every means available should be used to ensure that things are done in a very secure manner, even if that means project delays.
Earlier, Ms. Fraser indicated that Canadian and foreign workers had had access to plans as part of the NORAD project, among others. Are there other similar examples? Could it be that, in other cases, people were not asked to submit to security checks, and that they were able to gain knowledge of National Defence plans?
:
Mr. Chair, as I said earlier, the Minister of National Defence has accepted all of the Auditor General's findings, whether regarding the North Bay project or those of a more general nature. We are taking this very seriously.
The paragraph you mentioned, Mr. Laforest, states that the other security measures were taken. Security guards escorted those contractors who had not received clearances. So, all other measures were taken. We did take good note of these issues, however, and our action plan states that measures are being taken to correct the problem.
:
Thank you, Mr. Chairman.
Thank you, Mr. Guimont, and Mr. Nicholls as well, for the proactive way you have addressed many of the concerns in sending the plans over.
There are two things that have been touched on, so I'd just like to clear them up.
Mr. Stevenson, Mr. Wrzesnewskyj was asking you some questions regarding an observation that the Auditor General made, that 99% of the contracts didn't have a checklist. It sounded to me like you put some clarity to it. You were saying that these were all the contracts that were issued, and a vast majority of them would not have had any security element.
Is that what you're saying?
Mr. Guimont, in your opening statement you mentioned that one of the parts of your action plan was to institute a certification process to ensure that client departments clearly identify, for every contract request, whether there's a security requirement or not. So this certification, I'm assuming, would mean that if they certify there is no security element, then they would not have to hand in a checklist. If they say that there is, then you would demand a checklist.
Is that correct?
:
Actually, I would answer the following way.
Departments have to comply with the government's security policy that my colleague Mr. Cochrane spoke about. So it outlines the requirements. They have to have a departmental security officer, we heard in DND, and it's the same thing for Public Works and any other department. So it essentially sets the framework against which they have to be doing business as it relates to security requirements.
We in Public Works generate our own contracts, about 1,500 per annum. Therefore, it is a side of my department in proceeding with contracts—so-called contract authority—that this person has to say there is a requirement. When the requirement is identified, it goes to the industrial securities program segment of my department and things are done.
We also carry out so-called assessment work for departments for about 500 contracts. So per annum overall, for 2,000 contracts, 1,500 were generated by Public Works, and in 500 a department tells us it has a security requirement and would like the industrial security program to carry out the work needed to clear these individuals or companies.
That relationship, by the way, can exist between me and DCC. If DND flags a requirement and DCC says it will look into it, it can do it or come to me and I'll do it on its behalf. That is a sub-segment of the so-called 2,000 contracts we do per annum.
The point I'm making here is that departments have responsibilities under the government security policy. They can come to us in certain cases and we will do it. I generate a fair amount of work myself through the contracts that I issue.
:
Yes, I understand your question.
Essentially the point you're making speaks to our enforcement and compliance responsibilities, which are discharged in part through inspections. It's not only that, frankly. The Auditor General did also pick up on certain documentation that was missing. When you look at it, we had an onus to ask the company to provide this information. I'm thinking about the security briefing, the so-called security agreement, but it's also the onus of the company to provide this information proactively.
So I'm not going to start sharing blame here. These documents should have been on file.
Normally our inspections allow us to make sure that the company security officer meets the requirements. I will give you examples. Certain sections of the company, where sensitive information may be dealt with, would have padlocks. Their ID systems will be pressure-tested to certain standards. There will be security officers with badges. I'm giving you examples of requirements that may be part of a contract clause, and we expect the company to discharge that. Our way to check this is through inspections to make sure things are happening the way they should. In the past we've carried on inspections, and we are augmenting that in other inspections that we're carrying on.
:
This has been at the core of the issues we face in this audit.
To be very clear with you, the basic financial base of that program is about $6.7 million per annum. In my career I've rarely seen a program being doubled by reallocation within a department. I guess someone can point to an exception, I'm sure, but normally a reallocation to a program is a top-up. You add 10% or a 20% because of workload, complexity, or a special project being asked of the manager.
In this case the reallocation, on average, in the last couple of years was $6 million--a $6 million reallocation, a $6.7 million base. What it speaks to is two things. First of all, the program experienced a significant workload increase as a result of 9/11. The second point is more contracting activity as a result of the economy growing.
Nobody should be surprised by that. I don't know what the curve is, but it's normal that as you have a growth in economy you can have more contracts, more activities. So that's another element.
This is compounded by the fact that if you reallocate, you reallocate on a yearly basis. So if I am the manager, I have my base of about $6.7 million, and the department, through the deputy minister, reallocates on a yearly basis about $6 million, but I can't use that base, which is a reallocation, to plan long-term staffing. It creates a vicious circle. The cash is there. The cash can be used, but you're trying to attract talent. You say, “Well, yes, I would like you to come over. We have good important work. It's actually interesting work, to be honest, but I'm giving you 12 months because we're trying to stabilize the workforce and the budget.” So it creates a bit of a conundrum, where we try to staff and people come. Because it is a 12-month assignment with a potential window--it's a 12-month assignment vis-à-vis the budget you have that year--people do come and leave.
Secondly, some people have other options than having to work for 12 months. That's another thing. With people leaving, you lose corporate memory. You train them, you prepare them, they do good work, and then they potentially leave. The numbers that the Auditor General picked up are accurate: 28%, 29%, 30%. It's a significant part of the workforce that is unstable, if you wish, in the sense of contributing in a steady fashion to the outcomes they're trying to achieve.
I'm trying to explain here the dynamic vis-à-vis the resources. Now, the answer for me as the accounting officer is to work hard at getting a stable long-term multiple-year base. I've been working at this with Treasury Board, at Privy Council Office.
:
Thank you very much, Chair.
I want to thank all of you for being here today.
I think we all should pay attention to what the Auditor General said in the third paragraph of her comments today. Given where we are in the world and what's going on, this statement, that “We found serious weaknesses at almost all levels in the processes set up to ensure the security of government information and assets entrusted to industry”, is a damning one. It would be at any time, but in this day and age I'm just blown away hearing this kind of thing. When I think about all the things the public is being told they are responsible for--that security is everything, that everybody has to be on guard, that we're all supposed to be practically looking over our shoulders--the fact that we have stuff like this going on is absolutely unbelievable and totally unacceptable.
So where do we start here? Let's start with Public Works and Government Services and the industrial security program. How long has that been around?
:
Holy smokes! I was getting ready for somebody to say that it was a couple of years old and that's why we're in trouble; 1941 takes my breath away.
Now, during the audit, the auditor reported that the mandate was changed twice during the audit and that standard operating procedures for the program were in draft form and incomplete.
Somebody start talking. The questions are obvious. Somebody please tell me how we could have an audit going on, the mandate changes twice during the course of the audit, we have standard operating procedures in terms of the program but they're in draft form and incomplete--and you tell me it's been around since 1941. Somebody please tell me what's going on.
:
Essentially the answer lies in what I explained vis-à-vis resources. We have a program that has not been resourced at the right level.
I think the department really made efforts to top up that budget in a very responsible fashion. To give $6 million, on average, in the last couple of years to a base of $6.7 million is quite telling. It's not like $100,000 or $1 million was given. It was a substantial amount. So that's the first thing.
With regard to your point about draft policies and procedures, frankly this speaks to the fact that people were going to the more pressing and the higher priority. I am not saying that finalizing the procedures and policies is not important, but they did exist. They were in draft form, not finalized. And they have been finalized, very quickly. This was taken on as being a priority, picked up by the OAG--
:
I don't really disagree with you, frankly; it's a very good point. As the accounting officer, when I sat down with my staff, I was a bit surprised that since 1941.... But setting that aside, in recent years the program had not been audited, because probably some of these things would have been picked up.
An audit is not a bad thing. An audit says you have problems here and problems there. I'm not going to pass judgment on that. It was not audited. I would like to have seen it audited in the context of a big department. You have a risk-based approach, and someone somewhere--your own people, not the OAG--says you should be looking at that program. I think a lot of these things would have been picked up and corrected.
I just want to leave with you the thought that when people are trying to work in an environment where both the complexity and the workload have increased, they will go to the more pressing. They're trying to do a good job, and things like websites and going from a draft to a final policy will be of lesser priority even if they are, to my mind, important, critical.
There is one last point: it was done, and it was done quickly. They were draft. It's not as if they didn't exist. They were polished up, buffed up, and finalized.
:
I want to get a little more detail, because here's what I'm worried about. If we don't find out how this happens, then how are we going to have assurances that you have mechanisms in place to make sure it doesn't happen again?
I appreciate and respect the fact that it's done and taken care of, but there are some things here we want to get to the bottom of. Again, it's nothing to do with individuals--people move and so on--but it's about positions and systems and processes being in place to adequately protect national security.
I want to go to another issue that was pointed out in the audit. There had been 24 contracts awarded before contractors were given their security clearance. This is under a “secret” level of security clearance. For four of those contracts, the work was completed before the contractor was cleared. How? How can that be?
:
In the same way as I looked at the 24 contracts, I also looked at the overall sample of 86, and quite a number of them were done correctly. It was important to me because I wanted to understand if there was something systemic or systematic in the industrial security program. The answer to that is probably no, because the majority were done correctly.
In the case of those contracts that were done ahead of time--contracts awarded before security clearance was awarded correctly--the OAG picked up that at least in six cases some measures were put in place to mitigate risk. That's the first thing.
In the second phase of our action plan we looked at all those 24 contracts to see if measures had been taken. I know it was after the fact to see if measures had been taken to minimize risk, but for the 24, they had been. In the same way as the OAG looked at six, we looked at the 24. In some cases resources that had access to certain information were escorted; in some other cases the contract had started, but the sensitive information had not been used by the contractor.
:
What would you do if you found out you had serious security problems after the fact? That's the whole point of it. You have these going through at a secret level. It's not like we are talking routine; it has “secret” stamped all over it.
This is mind-boggling. These contractors came in and did the whole job. You say there were some mitigating circumstances, but it wasn't a full security clearance. What if, when you did a full security clearance after the fact, you ran into a situation like the NORAD one? We'll come back to that in a minute, but where would you be then, and who would be responsible?
Thank you to the witnesses.
I'm going to continue on that point because I'm concerned about it and I'm not quite clear on the answers that have been given.
There were four specific examples in which the work was completed prior to the security clearances being issued. In these 24 contracts requiring a secret level of security clearance, the contractors had been awarded the security clearance before this had been done. That is very concerning, and I'm not hearing a lot about how you're going to rectify it. Mr. Christopher rightly asked what could have happened after they awarded this. Yes, they all received security clearance, but what happens if there had been issues? In four cases the work had already been completed, so those issues would only have been caught after the work was completed and everything was done.
This is very serious. It deeply concerns me, and I haven't really heard clearly, Mr. Guimont, how we're going to make sure it doesn't happen again, or a proper addressing of how it could have been allowed to occur in the first place.
:
We have the four-phase action plan. We have it addressing, first, all the recommendations made by the OAG. That is done. I'm not talking about a month from now or two months from now; we've done that.
There is one component related to IT that we will have completed sometime next October. This is to have a better cross-log of information between our contracting authority and the industrial security program database, which were disconnected for reasons of security. That is going to be done in October. That is the first phase.
The second phase is that we have looked at the 24 contracts to make sure we were satisfied that we would be at a low risk for breaches of security, and we're satisfied that is the case. The people in the 24 contracts were cleared. After the fact is not the ideal situation, but that is the reality.
On top of that, we've decided to look at active contracts, 3,000 of them, to make sure the elements picked up by the OAG don't replicate themselves into the active contracts. We are proceeding with that. It's a three-stage approach, and it will be completed in August. We are doing this very systematic wall-to-wall approach to make sure we're minimizing risk for the contracts. These measures are in addition to the procedures and policies we're putting in place and the management review we're carrying out on the program overall.
:
We are certainly pleased with the action plans that have been presented. As was mentioned, we did review the action plan of Public Works, and it does address our recommendations. I say that, of course, under reserve. We will eventually go back and re-audit this to make sure these things are being put in place.
On this particular question, though, it would be easy to say that all the clearances have to be in place before the work begins. But sometimes that isn't the reality. What we would expect in that case is that there would be a very detailed and complete risk mitigation plan, so it would be clear up front that if the clearances aren't all in place, yes, the project may start. But what information do those contractors not get access to? What other risk mitigation techniques would be used until the security clearances come through?
I think that would be the way to probably handle that kind of situation.
:
I would suggest that the committee is going to want to keep a close eye on this as well, to make sure that happens. I think you heard expressed today a lot of concern.
If I could, I'll go to a recent concern, related to this chapter, that was very disturbing. This is to Mr. Guimont. It is with respect to the 138 CDs that were released--in fact, most of them are still out there--which contained detailed corporate information, such as details about pricing and bidding. There were a lot of companies concerned that this would severely damage their ability to do business in Canada.
I want to know if you can tell us where that is right now. How many of these CDs have been brought back in? What work is being done to rectify this situation and to ensure that this doesn't happen again? That is something, as well, that causes a great deal of angst.
:
There was no circumvention at that point. Subsequently, during the construction of the facility, it was determined that the security measures had to be in place. Security measures were put in place to either have cleared contractors working on the facility or have those contractors working on the facility under escort. As the construction of the facility went on and we got ready to install systems, additional security measures were put in place.
It was a phased approach from the standpoint of starting from bare ground, where there were no security concerns, threats, or risks identified, to the point where systems were installed and the facility became secure and sensitive.
During these processes we continued to do testing through a variety of technical means, and we continued to do physical security inspections to ensure that the integrity of the building was maintained throughout.
:
I hate to do this, but as you are aware, we did a report in May 2007 that commented on the NORAD project. When we did that audit--as we mention in the text box on page 25--there were serious concerns raised by National Defence about the security of that project and the ability to close the below-ground project. They were not sure at that time if they could move all the systems up. I'd be interested to know if that below-ground complex has actually been closed, because that was what the above-ground one was for.
We have summarized in this text box the concerns about whether it could be used for the intended purposes and the access that contractors, both Canadian and foreign, had to the site. When we completed this audit, they indicated that they could, with certain modifications, use the building for the intended purpose.
We had asked for details on what those modifications were. As you will see here, at the time of our audit we did not receive any detailed plans or schedules. All of this text, as is our standard process, has been agreed with by National Defence, and they have agreed with the validity of the facts.
So there seems to be a little confusion here, but certainly when we did that original audit there were concerns about the use of that building.
:
As I stated in response to one of the earlier questions, the department has accepted the findings. That is clear and is normal practice. I would also say that we have accepted the responsibility for resolving any of the shortcomings and weaknesses that are there.
On the specific question as to whether we can prove with 100% certainty, I think that's akin to proving the negative. On that basis we continue to do ongoing security assessments. I think that is a part of the overall approach to security, which is more of a risk management process. To arrive at a position of zero risk is the objective, but it is not necessarily an attainable one.
Mr. Chairman, I'm sorry if I haven't gone as far as what you're looking for.
:
Maybe, Mr. Chair, I could respond to this.
You would look at the efficiency within the system and ask that question, which I think is a legitimate one.
One of the things the Treasury Board Secretariat is actually engaged in with Public Works and the PCO is leading an initiative to look at personnel screening across the entire system. As a result of looking at personnel screening—that would be the folks who work inside the government, contractors, and other programs where screening occurs—the opportunity exists for us to look at efficiency. So that's an initiative that's under way. We haven't responded and indicated that we think we should centralize that capability, but it certainly allows us to assess the whole system of screenings in government, because a lot of this has to do with the screening of people and assurance levels to determine how we might want to manage that differently.
So a final decision hasn't been arrived at, but we are looking at it holistically across the government, partially for efficiency but also partially to ensure there are standard approaches to security screening.
Before we start the first round, I want to follow up with you, Mr. Cochrane, and perhaps also the Auditor General, on the role of the Treasury Board in this whole issue.
When I look at the thing and I read the reports, it looks to me as if there has certainly been a lack of clarity, a lack of interpretation, with this policy. There has been non-compliance in the interest of efficiency, and general confusion.
In fairness, sir, I think since the audit has come out, and probably during the audit, there has been a lot of work done, and perhaps we may be on the right track now, but on government policy, when we look to the administrative arm of government and the Treasury Board to develop the policies and monitor and ensure that the policies are being followed consistently through all departments and agencies, that is, in my view—and I may be wrong—the role of the Treasury Board. This policy seems to have gotten seriously off the rails.
Do you, Mr. Cochrane, on behalf of the Treasury Board, accept any responsibility for this whole problem that has been allowed to develop?
My supplementary question is to the Office of the Auditor General. What role do you see for the Treasury Board in a situation like this, and in your opinion, has Treasury Board been fulfilling its role?
Mr. Cochrane.
:
The responsibility of the Treasury Board Secretariat, in many different policy areas, is to fundamentally establish the management policies of the Government of Canada. What we've been doing over the course of the last two years is going through what we call policy suite renewal. The reason for that, I think, is that fundamentally when you look at the range of management policies that existed, there were some 180 management policies in the Government of Canada prior to policy suite renewal. We're actually refining that down to about 44 policies. So one of the jobs is to try to undo this web of rules and clarify what people are responsible for. That's a big part of our role, to try to clarify things much more substantially for departments.
Part of the policy suite renewal is also structuring things so that when you look at the policy you get an instant indication of whether there is something that you need to do for contracting. It's not buried somewhere. It's very clear and consistent that there's something I need to do for physical security.
So I would say that the policy material that was there was probably difficult to work with overall. We're implementing many elements that will add to the controls. One of those is to monitor—that's probably not exactly the right word—or work with departments through the management accountability framework to do regular assessments on an annual basis to determine if the policies are being followed. We can carry that to very deep levels of assurance if we choose to do so.
This discussion always comes back to the relative weight of responsibilities among the central agencies, the Treasury Board Secretariat and the deputy ministers and their own departments. It is up to the Treasury Board Secretariat to establish those management policies. They should be doing some monitoring, but I think at the end of the day we also have to say that it is up to the departmental heads to make sure their departments are meeting and respecting the policies that are put in place. The burden isn't only on the Treasury Board Secretariat.
Certainly in this case there is confusion in the policy. There was confusion about roles and responsibilities. I think that underlying a lot of the problems was perhaps the lack of--and I hate to use these words--importance or significance that a lot of people put on this whole area. People allowed contracts to go on for 11 months before security clearances were in place. For the program itself, I'm sure those people there did the very best they could, but when half of your funding is the temporary reallocation each year, it's very difficult. I would expect Treasury Board to perhaps ask where programs like those getting these temporary reallocations are.
If you don't have stable funding in government, it's very difficult to run these programs. If you don't have the people there to do the job.... You have to almost commiserate with these people who are trying to do the workload if they have...I think it was 28% vacancy and another 30% who are temporary people.
At the end of the day, I think there were a lot of factors that came into it. Certainly stable funding is one of the major factors in the problems that we saw.
:
First of all, we heard all of this. Have there been incidents of problems? Are we talking about preventive measures? Can anyone say yes, we've had incidents where there were problems with security? Are we simply working towards prevention?
The second question I have to pose, after listening and watching in many of these, is on efficiency. If DND want a project, and they define it, then they work their way up through Public Works and into Treasury Board and back down to contractors. When we think of the timeframe of efficiency in terms of need and in terms of actually being able to use the asset, could Treasury Board look at that and give to our committee a timeframe of how efficient we are as a government in providing to a department the assets that it needs?
Also, in terms of bidders, in terms of industry we have today ISO qualified, we have nuclear certified, we have all of these. For the contracts issued by Public Works, are the bidders who come in certified to do what you ask them to do? Are you dealing with a lot of contractors who are going to get this qualification after they do the bid?
Maybe Mr. Guimont could identify. Is there a problem? Do we have contractors out there who are not certified, who are not qualified, but who are bidding or wasting our time or the time of the Department of National Defence? Or do we have an efficient system to deal with a fair and transparent bidding process?
:
Mr. Chair, essentially the answer falls into two areas.
When a requirement is identified, there's an assessment carried out, and a contract clause is put forward. In order for the successful bidder to be able to get the contract, he or she or the company has to be able to meet the security requirements. That is a requirement. In some cases we do, at the request of certain companies, provide for pre-clearances. That doesn't happen in the majority of cases, but it does happen. Therefore, a potential bidder, on a contract yet to come related to certain security requirements, may say that it's probably a good thing for them to get some clearances, approaches, or industrial securities program, and ask for a clearance. Frankly, we say there's a potential for that company to be a bidder down the road, and we will carry out a process.
:
DND would have that requirement. I'm surprised that this contract went to North Bay and that companies got involved that weren't certified to do it.
Now, to go a little bit further, we'll say that you have maintenance people working at DND headquarters here in Ottawa. Contracts are given for people to do maintenance. How do you deal with clarifying the security level of people who are going into DND headquarters to do that maintenance work?
Second, you hire casual people through a company here in Ottawa, and those casual people handle some very sensitive information in the IT sector. How is that managed? Within the contracts for maintenance, is there a system for the provision of casual workers who do clerical work? Are we secure in terms of the people who are entering the most sensitive part of the whole National Defence system?
:
Yet my understanding is that the government security policy, from what you were saying earlier, is sort of the big picture, and the security and contracting management standard is sort of the detail within that big picture, in a sense.
How could you update the government security policy immediately post-9/11 and not automatically, as part of that process, update the security and contracting management standard, where the details are, including the checklist we're talking about here? It doesn't make any sense to me. We're sitting here now, five years later, and it says here that “Treasury Board Secretariat has informed us that it plans to update”. So it still hasn't happened. It doesn't make sense.
:
I agree with you. Frankly I try to look at it as the glass half full, but on sensitive contracts I don't question the point you're making.
In the course of assembling the sample, we did pick one area that was different from high sensitivity. This was secret/top secret. It has to do with protected information, which is different, as you may imagine. It was the same pattern, which is that a contract had been awarded, work had proceeded, and we screened the person to the right protected level: protected B.
The point I'm making is that in certain circumstances there's more risk tolerance. But in other cases, I agree with you. When you're talking secret/top secret, the margin of error for documents missing or not following procedures should be close to zero. Now, that does not bring risk to zero--that's another issue--but our procedure should be followed correctly.
:
It's different in three ways.
First, for those contracts that we generate, our acquisition branch now systematically flags, per a policy, the requirement for security. That is not only done manually, it's going to be done through our IT system. So that's the first thing. We have reinforced the need for that through communication and discussion with our staff.
Second, the program, headed by the director general, is more systematic in making sure that security clearances have been obtained at the time of contract award, which was the issue for the 24 that were singled out. That is the second thing we are doing.
Third, as I said, we're trying to find a long-term resource base that will ensure we have continuity in the program, so that the investments we're making in people and systems today are not lost as people leave.
My first question is for Ms. Fraser.
You said that the NORAD situation had changed since last October. In your brief this morning, you still expressed some concerns, i.e., that the NORAD complex could not be used for its intended purposes. Did the information that the Department of National Defence and Mr. Stevenson provide us with this morning on the measures taken alleviate your concerns?
I was not a party to the discussions on this project involving the Office of the Auditor General and the department. If possible, I would like to gather more information on the key questions that the OAG raises in points 1.74 or 1.75.
Nevertheless, I can tell you that the expected cost of construction was $25.3 million. The final cost of construction was $24.9 million. The project's budget covered all construction costs.
Did the budget provide for additional security expenses? If possible, I would like to provide you with that information at a later date.
:
I absolutely agree that we don't want to burden the system with a lot of unnecessary consideration, but if people are going out to buy flags or whatever, it's pretty clear that there are no security issues there. It's when you get into defence construction contracts, for example, where we noted that for 99% of them there was no checklist done. At a minimum, there could be an indication that someone has considered the security aspects and has made a clear determination that there is no security. Previously that wasn't obvious, and so you didn't know if people had considered the security aspects.
At the risk of getting into a debate, in the NORAD project the security checklist was not completed, and there was no indication about security requirements, and so the people who were doing the contracting wouldn't know what clearances people should have. It's really up to the people who are running the projects to make that determination. Otherwise the people in Public Works, the contracting authorities, have no way of knowing--
:
I very much agree with Madam Fraser. It's not one-size-fits-all, and this is important for committee members to appreciate.
I'll give you an example. If, for instance, someone requires a contract, they require a screening, a reliability check, at the lowest level--protected A--it can be done in days. If I remember, it is three days. It can be a bit more complicated, but it's measured in days. Obviously, to be clear--and this is where Madam Fraser is--if it's run-of-the-mill we can be pretty efficient and therefore not create a burden on either business or capacity for the government to issue contracts.
Where it gets to be more difficult--and this is where the OAG focused--is when you get into the more sensitive files. There, clearly, when we're talking about clearances at a secret or top secret level, we are now measuring progress in months. So this is very different.
It is very important for whoever decides there is a security requirement to make the right call, because if the call is one of top secret or secret, there will be an impact. It's not a negative impact. It's going to be a period of time to do the job correctly.
The majority of so-called screenings taking place for government activity are done at the screening level, which often is done in days. We're talking in thousands. If I remember, going on memory, it's like 50,000 clearances or reliability checks per annum. The workload is measured in days.
I don't minimize that. It has to be done, but I would like to think it is not creating a huge burden vis-à-vis the benefits.
For the benefit of members and some of the work we have done, I want to put on the record that a page of the Auditor General's report says there was a review of all the agencies to see if they were doing security checks on contracting, and the only one that was doing it was the RCMP, so we have to give them their due where we can.
This is my second point. Deputy, with regard to your opening comments, I want to tell you how impressed I was, particularly that you caught on to this really quickly, when you were being briefed, as to where your priorities were. You got on top of this before the report was tabled, and you put in your comments, additional steps that you have taken, which is very impressive, and you didn't go out of your way to tell us how wonderful everything is and that this was a minor exception. This was a big deal, and you dealt with it that way. I, for one, am very pleased with the way you have approached this, notwithstanding the grilling we're putting you through today, but given the importance, I think you will appreciate that.
I don't want to belabour this one to death, but there are a couple of little things that concern me.
Major-General, how long was the delay and how much was the cost as a result of that delay, and how much was the cost of the modifications to the NORAD facility?
:
I'm not aware what the timeline was for any delay; however, modifications that are performed and reworking that has to be done are regrettably all part of normal construction practices.
Some things were not put in right. We had cases where the locks were put on the wrong side of doors. We had places where conduit wasn't terminated properly in accordance with either good construction practices or the security rules we put on for the facilities. As you can appreciate, we have to make sure we know where any electrical conduit goes and that it's terminated correctly at both ends, because we're going to put communications or power cabling through that. In some cases it wasn't terminated correctly or there were junction boxes where they shouldn't have been, contrary to designs that had been approved.
So a certain amount of rework was required from a construction practices standpoint and a security standpoint, and that would have been picked up as part of the normal construction activity. The contractor would have been held responsible for fixing those things because they were implementation deficiencies, not design deficiencies.
:
Mr. Christopherson's opening comment about the RCMP jogged my memory. It was Mr. Crupi who was bounced out of the RCMP and ended up with the top security clearances that allowed him to work in the Canadian security establishment within National Defence. But let's set that aside.
I'm returning to page two under the heading of “What we found”. You found there was willingness on the part of National Defence officials to circumvent key security-related procedures. That's pretty strong wording, and it's quite clear.
Can you provide us, perhaps in the next two weeks, with a list of circumventions that you became aware of so we can clarify this point?
:
Thank you, Mr. Chairman.
I was reading through this report, and like everybody, I find some serious problems here.
Mr. Nicholls, I don't think we've heard too much from you today, but it seems to me in your opening statement—I don't have a copy of it—you mentioned that you have a great deal of experience at Defence Construction Canada. Did you say 50 years, or was it 90 years? I can't remember which.
:
—after 56 years, yet in your opening statement you said you had a great deal of experience.
I see in your letter to Pierre Boucher, dated January 16, 2008—I presume this has been tabled before the committee, Mr. Chairman—you're talking about your having to address two objectives. The first is to fully integrate the requirements of security into the processes that you use to execute your role as a contracting authority, and the second is to operate the company in accordance with the DCC security policy.
Again, with 56 years, you say you have a great deal of experience, and it takes an Auditor General's report to say, hmm, since we do all these security buildings, maybe we should think about it. Why has it taken this report to wake you up to say, we should do something?
:
Okay, well, I hope your next 56 years of experience will be a little more formal than the past.
Looking at paragraph 1.74, we're back to this above-ground NORAD building. Again, quoting the Auditor General, “This building was designed to house very sensitive and highly classified material”.
I have heard evidence around the table saying that you built the building, and then somebody decided to change the use of it, so you had to go back to check the security of it. Was the building designed for highly sensitive information and highly classified information, or was this an afterthought, and now that we've built it, we'll use it for that?
:
Mr. Williams, we have had that question three or four times during the meeting. There's an unanswered question here on this NORAD thing, and we've had the dialogue with the Auditor General, and I don't think we're going to get to the bottom of that.
Okay. That, ladies and gentlemen, concludes the questions. I want to thank all members of the committee. I want to thank all witnesses.
What I propose now is to go in camera and very briefly deal with the minutes of the steering committee. But perhaps before that, I will ask if there are any closing remarks.
Ms. Fraser, have you any comments before we do that?
:
I'd like to move on to point three, Mr. Chairman, addressing the leak of elements of the Barbara George report.
First, it was embarrassing. I had complimented the committee a couple of days before on how we had hung together and kept it all totally out of the media, and then, boom, it's in the media. It was shocking, disappointing, and I hope the person who leaked it is hanging their head very low indeed. It's despicable that someone who was reported to be held in contempt was reported in the newspapers with absolutely no knowledge of what was in the report themselves and no capacity to respond. They didn't know what the accusations against them were.
That was a despicable event, Mr. Chairman, and I would hope that whoever did it would stand up and do a mea culpa. It's not like leaking a report on the government, where things happen and where the government can respond. This was a direct condemnation by this committee on a particular person, who found all the elements of the accusation and the condemnation in the newspapers before they were even advised of what was our opinion, and therefore I found it despicable.
But unless that person is prepared to publicly stand up and accept their responsibility, I don't think there's anything we can do. I remember we had the Auditor General do an investigation into one of the leaks of her report some time ago, and that ended up just being an embarrassment, because we couldn't find anybody.
Therefore, I'm prepared to leave it as is, although I wouldn't mind passing a motion of condemnation of whomever. I hope they recognize the seriousness of this. It was on an individual; it wasn't focused on a government department and on something the government had done wrong.
There could have been no glory in it, because I didn't find any name attached to this. Nobody saw their name in lights on this, because they refused to even put their name to it--which is further condemnation of the low attempt to try to get some gratification and see something in the media that they caused when the person on whom it was focused had no capacity whatsoever to respond. That, I found, was the most despicable part of it.