:
I would like to call the meeting to order and extend to everyone here a very warm welcome.
Colleagues, today we're dealing with chapter 1, “Safeguarding Government Information and Assets in Contracting”, of the October 2007 report of the Auditor General of Canada.
We are very pleased to have before the committee today, from the Office of the Auditor General, Sheila Fraser, the Auditor General. She's accompanied by Hugh McRoberts, Assistant Auditor General; and Bruce Sloan, principal.
We do have a number of witnesses from the Department of National Defence. First of all, we have the deputy minister and accounting officer, Mr. Robert Fonberg. Then we have back again Lieutenant-General Walter Natynczyk, Vice-Chief of the Defence Staff; Scott Stevenson, assistant deputy minister, infrastructure and environment; Dan Ross, assistant deputy minister, materiel; Major-General Glynn Hines, chief of staff; Colonel Michael Day, commander, Canadian Special Operations Forces Command; and Lieutenant-Colonel David Shuster, director, deputy provost marshall security.
From Defence Construction Canada, we have Mr. Ross Nicholls, president and chief executive officer.
Again, I want to extend to each one of you a very warm welcome.
Before I call upon the Auditor General for her opening remarks, I do want to introduce to the members of the committee and the witnesses some very special guests in the room today. We're very pleased to have a delegation from Uganda, including three members of their public accounts committee.
We have the chair of the Ugandan public accounts committee, the Honourable Nandala Mafaabi. He is accompanied by two other members of the committee, Mr. Albert Odumon and Mrs. Margaret Kiboyijana. And with them, we have the clerk of the committee, Mr. Sam Emiku; the High Commissioner, Mr. George Abola; the director of administration and finance of the Ministry of Foreign Affairs, Mr. Samuel Kakula; the principal assistant of the Ministry of Finance, Mr. Lubega Yakub; and also Mr. Berti Kawooya from the High Commission.
So on behalf of the committee and all members, I want to extend to you, the visiting Ugandan delegation, a very warm welcome.
Some hon. members: Hear, hear!
The Chair: Ms. Fraser, I understand you have opening remarks.
We thank you for this opportunity to further discuss our work related to chapter 1 in our October 2007 report, the chapter entitled “Safeguarding Government Information and Assets in Contracting”, in particular, the issues we raised about the construction of the NORAD above-ground complex at the Canadian Forces base in North Bay.
As you mentioned, I am accompanied today by Hugh McRoberts, Assistant Auditor General; and Bruce Sloan, principal.
Perhaps I can begin by providing the committee with a quick summary of our audit findings since we first raised this issue. We first reported our concerns about the construction of the NORAD building in North Bay in chapter 6 of our May 2007 report. At that time, we noted that several questions about the security of the building remained, and we highlighted four important security issues, that: there was no security requirements checklist, and the department acknowledged that the review had not been done; the blueprints for the building had been placed in the public domain when they were made available to any interested contractor; there was limited physical control of the building and access to the site during construction; and finally, the workers on site had not been security cleared to work there.
[Translation]
We were also concerned because questions about the security of the building were delaying the move from the underground complex and delaying the realization of any savings that this move was to generate for National Defence.
At the time of our May report, National Defence was in the process of assessing possible weaknesses caused by the lack of security during construction. The department was also determining the steps it needed to take to insure that the building was secure for NORAD and other base operations.
In chapter one of our October 2007 report, on “Safeguarding Government Information and Assets in Contracting”, we decided to follow up on the progress the department had made in insuring the security of the building. The department informed us that after investigating, it had determined that the building could be used as intended if modifications were made. These modifications were due to be made by mid-September 2007.
I believe that National Defence has since informed this committee that modifications were made to fix construction defects and install monitoring equipment. The modifications, the details of which I understand to be classified, were intended to mitigate any potential security compromises. As our audit work was substantively completed in August 2007, we cannot comment on the actions the department has taken since then.
The department has also indicated to this committee that the nature of threats is such that eliminating risks is likely impossible. However, the department is satisfied that its mitigation measures addressed security concerns. Nevertheless, the department has also informed the committee that it is still assessing the best way to move two systems used for NORAD operations from the underground complex into the new building. We believe that one indicator of how well security concerns have been addressed is whether all the systems that were to be moved into the building are, in fact, there. The committee may wish to ask the department when it expects to be able to relocate those systems.
[English]
Our audit showed that many of the problems we identified may have been avoided if the government security policy had been adhered to more strictly at the beginning of construction. For example, completing a security requirements checklist might have helped the department identify security concerns before they became problems.
In its action plan, the department has committed to putting in place an interim policy on the responsibilities and obligations of all members of the department for security requirements checklists.
It appears that most buildings are treated as unclassified structures when construction begins. In testimony before this committee, departmental officials said that as building construction progresses, security requirements can change from those needed at a bare-ground, unclassified work site to those needed at a classified, clearance-required site. Although the purpose of the facility remains the same throughout the project, security may only be considered fully later when the department is preparing to make the building operational. The committee may want to ask the department how and when it determines the security levels of its buildings and what risks it accepts in that process.
As well in previous testimony, there was discussion about whether the roles and responsibilities for construction security were clear between National Defence and Defence Construction Canada. In its action plan, National Defence committed to revising the memorandum of understanding it has with Defence Construction Canada and to putting a framework in place to manage industrial security on defence projects. I understand that a revised memorandum of understanding has been signed.
[Translation]
The department has put together an action plan and, as you know, has shared it with the committee and with us. We believe that it represents a reasonable plan to address the concerns raised in our chapter, and we were pleased to know that the department has set for itself specific deliverables with deadlines for implementation.
Mr. Chair, this concludes my opening remarks. We would be pleased to answer any questions.
:
Mr. Chairman, members of the committee, thank you for this opportunity to speak with you today.
First, I would like to apologize to the committee for any misunderstanding that the testimony given by representatives of the Department of National Defence in February may have caused. My intent in my letter of March 28, 2008, was to clarify that situation.
Let me assure the committee that the Department of National Defence takes the security concerns identified by the Auditor General very seriously, and let me say that we accept without reservation the findings and recommendations of the Auditor General's October 2007 report.
[Translation]
We have developed an action plan to address the problems identified by the Auditor General.
And in consultation with the Treasury Board Secretariat, Public Works and Government Services Canada and Defence Construction Canada, we are moving ahead on its implementation.
The committee was first provided with a copy of the action plan in March. And I believe that the committee has also received an updated copy of the plan.
[English]
Let me briefly outline for you some of the measures that have already been taken to improve security in National Defence contracting as a result of the action plan.
As of January 2008, we are confident that all National Defence construction contracts have a completed security requirements checklist or an attestation from the project authority that there are no security issues involved. This procedure will be formalized by 31 July, 2008, with the promulgation of a departmental directive on industrial security policy. As of next month, all contracts above $5,000—construction and otherwise—will comply with this requirement.
As well, the action plan references a memorandum of understanding between the Department of National Defence and Defence Construction Canada specifying the roles and responsibilities of both sides when it comes to security and contracting. As the Auditor General has just mentioned, this MOU has now been signed by National Defence and Defence Construction Canada. We have a copy of it to table with the committee if you so desire.
In addition, Mr. Chairman, as a result of the action plan, we are updating our industrial security policies and procedures to ensure that they meet or exceed those in the government security policy, which is being revised, as you know, as well as its standards and directives. We are improving security awareness and education on this issue within National Defence, and we are increasing our capacity to effectively oversee and enforce the industrial security policies and procedures that are being established.
National Defence is also taking steps to address possible security issues associated with the 8,500 contracts let between 2002 and 2007, as identified in the Auditor General's report. We have begun a risk-based review of these contracts to determine if there may have been a compromise of classified information or assets. Our reviews are continuing and, as noted in the action plan, we expect them to be completed by 31 July, 2008.
[Translation]
Finally, Mr. Chairman, I would like to speak to the concerns raised in your April 10, 2008, letter regarding the recovery of blueprints for the Canadian Joint Incident Response Unit being built in Trenton.
Our preliminary review of this situation indicated that departmental and Treasury Board security policies were followed. A security requirement checklist was completed prior to the award of the contract for the design and construction of this facility.
[English]
The blueprints contained no classified information and there was no requirement for contractual security provisions relating to their preparation. The facility itself is located within a restricted area of CFB Trenton, to which access is continuously controlled. The contractor and subcontractors were screened for reliability, and all others who required site access were escorted.
All that being said, I have asked my chief of review services to conduct a detailed review of this matter, and I anticipate receiving his findings and recommendations by the end of this month.
In conclusion, Mr. Chairman, let me again assure the committee that the Department of National Defence takes the security concerns identified by the Auditor General very seriously. The Auditor General has highlighted important concerns with respect to the department's approach to classifying construction projects. We must ensure that our assessments of threat and risk consider all security aspects of any new facility, including its future use, so that appropriate safeguards are in place from the outset.
[Translation]
Senior leadership within the department are fully aware of the matters raised by the Auditor General and are committed to rectifying these matters, as noted in our action plan.
I certainly regret any misunderstanding caused by the department's previous testimony and hope that my letter, and comments today, have clarified any discrepancies.
[English]
I'd like to thank the committee for the opportunity to personally address this issue today. I would welcome any questions you may have.
Thank you.
:
Mr. Chairman, honourable members, I am pleased to appear before you again. At the last Public Accounts Committee meeting I explained DCC's role as contracting authority for DND infrastructure projects and how DCC is accountable for taking the measures necessary to protect the sensitive information and assets identified by the department.
[English]
Since the April meeting of the committee, DCC has made excellent progress on its action plan to address the observations and recommendations of the Auditor General in her October 2007 report. Specifically, DCC has collaborated with DND in the review of security requirements for projects completed during the Auditor General's exercise and for all active contracts. As noted, DCC and DND have signed a revised memorandum of understanding that addresses our respective roles and responsibilities for the management of industrial security, and we've established a framework for the innovative management of security, as recommended by the Auditor General.
DCC has developed and implemented a comprehensive security policy covering all aspects of contracting, contract management, and the internal operations of the corporation. DCC has established a security management organization and has appointed corporate, regional, and site security officers. All of these officers have received security training, and all remaining Defence Construction employees will receive security awareness training within the next few weeks.
Threat and risk assessments for all DCC offices will be carried out by an independent agency in mid-June. These assessments address the physical security of offices.
In short, Defence Construction has made concerted efforts since the Auditor General tabled her report. I'm in a position to say that Defence Construction is managing the security requirements identified by DND in accordance with sound risk management practice and in compliance with the government security policy.
I'm of course prepared to answer any questions the committee may have.
Welcome. This morning we have a roomful of witnesses.
If you get down to the very basic question here, this was new construction being done in North Bay, and with it we have certain regulations called the government security policy. The Auditor General's report would indicate that there were problems in supervision with regard to that policy.
First of all, then, does the military recognize that policy, and do they try to adhere to it when they're doing construction at various sites?
:
First of all, we have tabled an action plan. I believe we have a revised action plan to actually table. The action plan itself is based on all the recommendations the Auditor General herself put forward in her report. Basically, there are four points to that action plan.
Just before I get back to them, I would like to say that the reality, which the Auditor General has recognized, is that the way most of our buildings work their way through the classification process is that, first, a function for the building is actually determined. Then there is a process by which the space is actually designed. Those spaces--the walls, the floors, the wiring, the plumbing--basically determine the scope of the project. The project itself may be broken into a number of contracts to put up what we have, in the past, considered unclassified. There would be another contract to fit up what may be classified inside the building should there be a need for any special kind of treatment, any special communications, or any special equipment that's going to be handled in that building.
Typically, in a situation in which we have a building that has a classified part to it, for the reasons the DSO noted earlier, to allow for as much competition in the bidding process as possible, we often will bid the shell unclassified, and we will bid a contract for classified work within that shell. I think what the Auditor General has pointed out is that we need to be more deliberate and more serious in the early stages of design with respect to our assessment of threats and risks for the full use of the building through its life. That is something we are currently doing.
Basically, there is a four-point action plan. We are fixing the security requirements checklist piece of this, as the Auditor General recommended, to either require an SRCL or to have an attestation or certification that one is not required. So we now have full coverage. You need one or you don't need one, and that's actually signed off.
We are in the process of clearly clarifying rules and responsibilities for everybody, through the contracting process, on the construction side, and more generally, on the procurement side. We will go through a deliberate process of propagating those new policies in a very clear way toward the end of July. We will make sure that they are amended as the government security policy, put out by Treasury Board, comes out. That will be after the end of July, I expect.
We have a group of people who are working on a very deliberate sort of communication awareness education plan for those in the department who will be involved with contracting, whether for construction or otherwise.
Thank you, Mr. Chairman.
:
Thank you, Mr. Chairman.
Looking at this MOU that we have been given between the Department of National Defence and Defence Construction 1951 Limited, which I think is also called Defence Construction Canada, I'm glad to see that they're taking security seriously, Mr. Chairman. There must be some things in here that we don't need to know, because we've been given the odd-numbered pages but we don't have the even-numbered pages. They must be the ones that have the classified information on them.
The other point I wanted to examine is that the agreement is dated June 2, 2008, which happens to be yesterday. I presume it's the motivation of coming before this committee that caused this to get done.
Am I correct, Mr. Fonberg, that getting this done was an important thing so that one could come to the committee and say we finally have this MOU?
In taking a look at the document I have here, the DCC Security Action Plan, I think, Mr. Chairman, if I recall correctly, that at the last meeting we were unaware—or I was unaware—that there actually was an MOU between Defence Construction Canada and the department and believed they had been operating for 40 to 50 years on a fairly informal arrangement. But I see that this new MOU replaces a previous one, dated May 18, 2001, that actually predates the 9/11 catastrophe in New York. I would have thought, given the whole new security awareness that event caused, that we would review our security in the building of infrastructure before this time.
Do you have any comment on why an old agreement that predates 9/11 was the MOU that was still being used?
Lieutenant General, do you have any comment?
:
Thank you very much, Chair.
I want to make a note of what you just said and I'm going to come back to that.
Let's put a focus to this. Mr. Williams is trying to suggest that this is only a gathering of folks with no real purpose. The fact is that we did deal with this once in a chapter review. We found serious problems. The Auditor General--I want to remind everybody--on February 26 of this year said in her opening remarks:
We found serious weaknesses at almost all levels in the processes set up to ensure the security of government information in assets entrusted to industry.
And on the same day, Mr. Scott Stevenson, the acting ADM at the time, said:
I have just outlined a number of specific actions the department has undertaken or will undertake to address the concerns raised by the audit. I can assure you that the Department of National Defence is committed to ensuring that sensitive information and assets entrusted to industry through contracting are properly safeguarded. As a result of the Auditor General's report, the Department of National Defence is making significant improvements to our security provisions.
We had our meeting and we had not yet met to write our report. In the interim, along come these headlines showing that these plans are in the garbage. We've brought you back here to find out where we are on this issue. Is it closer to the opening comments that the Auditor General made, that things are serious and there are weaknesses and this is another example of that? Or are the comments that everything is fine true, and we don't need to worry about anything? Or were we given nice little assurances, patted on the head, and the reality is that we still have continuing weaknesses? Hence the hearing to find out which of those two applications would apply vis-à-vis these blueprints being found in the garbage; let's understand this.
I understand the point being made that they weren't classified as...is “secure” the correct term?
:
Assuming that's the case--I'll just jump ahead a bit--I was a little disappointed to hear you say, sir, that you have a review going on and the recommendations and findings will be available at the end of this month. That is convenient in that we would have already met.
Was there any attempt, on your part, to call the clerk's department and say, “I have an internal review. You might want to hold off on your hearing until you get that review”? I'll give you a chance to comment on that. I found that it looks a bit strange that this well-publicized meeting is going to happen before the internal review is done, and there didn't seem to be any attempt to try to coordinate those things--the things at hand, the blueprints.
The other question is, should they have been labelled classified? Even if you followed all the procedures and ticked off all the boxes, that doesn't make the world okay. It's only a human-created piece of paper with human-created little boxes that may have got checked off, but at the end of the day maybe that procedure needs to change. Maybe that's where we are. Maybe that's what we'll find out from today. Your internal procedures were okay in terms of the boxes being ticked off, but we need to generate a whole new checklist and we need other boxes to be ticked off maybe in a more timely fashion.
But I have a real problem accepting that it's okay and it's not a big deal that blueprints for the new Canadian Joint Incident Response Unit in Trenton were found in the garbage. Let me get this straight. This unit is going to be the military's main responder to chemical, biological, and radioactive threats. That's what this centre is for. The design plans show, as far as we know, the electrical grid scheme for the unit's computers and details about sewer systems, areas for workshops, seed container loading docks, and offices for the unit's various troops. There is also a blueprint for the storage bay for the unit's robots, which are designed to detect chemical and biological agents. Never mind the checklist.
Somebody here please tell me, in a layperson's way, how that is not a security risk at some point. I'm a layperson. Explain to me how blueprints that show that kind of detail about the building are not a risk that you shouldn't take.
:
Mr. Chairman, first of all, on the issue of the review that is being done by the chief of review services--an error perhaps of omission that we did not inform the clerk, certainly not an error of commission--the timing of that review was always intended. I don't remember exactly the date the blueprints were found. I asked for the review to be done shortly after that, long before the timing of this hearing would have been set up. So I apologize for not having thought through the idea of informing the clerk that perhaps we wanted to wait.
We'll certainly make the results of that review to the extent there's nothing classified. I expect there will be nothing classified in that review. The report will be available to the committee as soon as it is available.
On the member's other question, Mr. Chairman, on the nature of the blueprints, I would turn it over either to Colonel Mike Day, who will be the owner of this building shortly, or put it back to the DSO. I am not unsympathetic to the questions the member is raising. All I am telling you is that we followed a process—process is not unimportant—established under the government security policy. Through our own departmental security policy we did a security requirements checklist on this project, and we came to the conclusion that the blueprints did not need to be classified.
I would just say, by way of closing, and then turn it over, that as it turns out, the electricals on those blueprints, as I understand them, were about 50% aligned or correlated with the final electricals within the building.
I'll turn to my colleagues for any comments they may want to make on the actual intention.
:
Mr. Chairman, thank you.
With regard to the blueprints and to the actual questions, I reiterate that the process that was followed did identify, as was discussed, all the checks in the box. Subsequent to both the Auditor General's findings and the complete acceptance of all those, a subsequent review was done with the security checklist being examined. That resulted in the decision that the actual shell of the building was not to be classified at that time. Subsequent to the blueprints being found in the garbage, that process has once again been revised, and certainly in hindsight, as the deputy minister has mentioned, we will relook at those criteria in order to determine if additional checks need to be considered.
With regard to the actual threat itself, we take that business, as the Vice Chief of the Defence Staff has said, very seriously. We go through a continuous review to determine whether or not we have risk or exposure to a variety of different threats and that isn't a one-time deal. As a result of this incident--I believe the blueprints were found on March 13--we immediately initiated an internal review of those security measures, not only of the building on site but the unit itself, to determine if there were any present threats that were identified. There have been none at the moment, which doesn't mean to say that abdicates our responsibilities. Rather, we subsequently looked at the renewed process and whether or not we would come to a different conclusion as those processes get changed. I believe, as the deputy minister said, we would likely come to a different conclusion.
What we have done in the interim is look at what we can do to mitigate that risk. I am satisfied that both internally, in my command within the CF, and in the department we have taken all reasonable precautions to ensure that any subsequent threat is of a reasonable nature and that we will be able to continually implement those improvements, as well as continue to review the threats and risks that we face.
I want to start with the scope of this. If you take the NORAD facility as an example, this is a major breach. You said this was a mistake. The problem is that it isn't just a security issue; it's also an issue in terms of the trust and support that we have with our allies and NORAD. When they're turning to us to work with them, if things that should have been classified....
You're saying that, in retrospect, this was an error and it should have been classified. I find it hard to believe that when we're dealing with a NORAD facility there would have been any other conclusion other than it should be classified. That hurts us. It hurts us not just in terms of a security risk, but also in terms of working with our NORAD partners.
I'm confused now because the comments of Colonel Day seem to indicate that there was a mistake in the classification of the facility, the Canadian Joint Incident Response Unit in Trenton, and that should have perhaps been classified.
There was a definitive statement that the NORAD incident was a mistake. Perhaps in the incident where this was thrown in the garbage, the Canadian Joint Incident Response Unit blueprints should have been classified. But in the Auditor General's audit, we found that 99% of the security requirements checklists were not completed, were not done.
So it's not as if this is a one off. If we start with 99% not being done, should there not be an assessment being done in all of those instances, before contracts are awarded, especially if it's for something like a NORAD facility? But in general, is that not something that should be done? Is there a commitment to take us from 99% to zero?
:
Mr. Chairman, on the issue of U.S. confidence, the U.S. is, as I understand it, very comfortable with the state of that building and its actual use. They have sent their own teams to have a look at that building. So they are now very comfortable.
The only thing I would say in response to the member's question or concern around U.S. confidence is that, as I think the relationship has shown over and over again, confidence comes from recognizing any errors we might have around these kinds of things and fixing them quickly, fixing them in a way that actually works for both parties. I believe that actually has been done in the context of the North Bay facility, just from the perspective of U.S. confidence.
On the issue of the JIRU building and whether we made a mistake, I think I would actually like to correct the record, or at least address the comment. I'm not sure the colonel said that we made a mistake. I think the colonel said that if we were to look at it again, if we were to look at the threat and risk assessments around this, would we have done this differently? And I think the answer is, yes, maybe we would have done it differently. So I'm not sure that I heard the colonel--but I stand to be corrected--definitively say that we would have done it differently.
On the issue of 99% and moving that down, we now have in the department, essentially operationally formally required next month, every project over $5,000 either requiring a security requirements checklist or certification--as proposed by the Auditor General--that there are no security issues.
:
Maybe it's splitting hairs, but when you say in retrospect you would have done something differently and maybe it was not handled properly, whether or not you want to call that an error or whatever, my point remains.
My concern , and I want to hear a little more clearly, is what you're doing with respect to the classification of buildings, and secondly, how you're going to handle documents at various security clearance levels.
I don't accept, and I hope you don't accept, that blueprints being found in the garbage or being abandoned in some way that somebody else can pick up is acceptable, particularly if we say that maybe in retrospect those blueprints should have been classified.
Is there a policy, or are you looking at a policy, to handle documents of different security levels in such a way that this type of behaviour would be prevented? And can I ask what consequences there would be for individuals who would breach those new protocols, if established?
:
Well, the issue comes back to the fact that under the practices of the department at that time the shells of the buildings, in most cases, would not be considered classified. It was only when they started to do the fit-up of what goes inside that they then would look at classification.
One of the issues coming out of all this is that maybe they should be considering what is going to happen inside that building much sooner in the process--I think the department agrees with that--and what the context is around that building. In this case, I believe it was a training centre. A training centre in and of itself may not be particularly sensitive, but if you have sensitive conversations going on there, which one might think could happen in this particular location, maybe you would want to think about the security earlier.
This is one of the issues that I think are coming out of this whole thing. The way of treating the building as a shell, as being unclassified, meaning that all the plans for that are unclassified and open to the public, to people who are contracting on it, may not be the best way of going about this and that there should be a more rigorous security consideration given to what is going to happen in those buildings earlier in the process.
:
Do you guys want time for a hug?
I do want to use this as a little bit of a learning experience, though, if I could. The Auditor General was referring to this just a little bit when she states in paragraph 9
The committee may want to ask the department how and when it determines the security levels of its buildings and what risks it accepts in that process.
As I read the rest of the paragraph before and just listened to the Auditor General, I had the same questions. It seems odd to me that something that would eventually be deemed classified would at some point earlier in the process be deemed unclassified, especially if it's known that eventually it's going to be an area where stricter security measures will be needed.
Maybe you could speak to that a little bit in terms of how and when you determine the security levels of the buildings.
:
Very early in the process, immediately after a statement of requirements is written, the project authority would assess...and the deputy minister has mentioned that we're actually making the policy a lot clearer for project authorities. The end-of-July policy will give some better instruction on how to actually assess threat and risk. Again, as the Auditor General mentioned, that's looking at the eventual use of the building.
I think a better way to describe this might be to give an example. The threat is fairly simple...well, not simple, but you look at a national threat and a local threat and our intelligence personnel would be able to provide us with that information. Probably a little more complicated is that the project authority has to look at the risk to personnel, information, and assets. Looking at the risk, they would look at the vulnerability of the assets and the information, the consequences of a security incident, and the probability of something happening.
As I said, I'm going to just give a quick example using perhaps a hangar. It's quite probable that in the 30- to 35-year life of that building there will be classified discussions in the hangar. However, it would happen once in a very blue moon. So you look at the probability of somebody putting a bug into the wall, if the threat were espionage, for example. When you look at the probability of that occurring, it's very small. So you could see building the shell of a hangar for fixing airplanes being one example of where unclassified documents would be acceptable and there's an acceptable risk.
If you look at an ops centre where there's a lot of classified discussion on a daily basis, you could see that hostile intelligence services may target a building such as that, and the probability of that happening would be a lot higher. In that case you would probably want to classify the shell of that building.
That's just an example of how we have been looking at threat and risk. As I say, we're going to give clearer instruction to project authorities to look more in detail so that when they make that decision, right after the early stages of that contract, right after the statement of requirements is done, they make the right decision on whether or not a security requirements checklist is indicated.
The current process is build the shell. Generally, it's essentially seen to not be classified because it's a shell with some plumbing and some wiring. As the vice-chief or Colonel Day suggested, as you move into fitting up or creating classified areas within that building, those parts of the contract or those contracts become classified, require classified contractors, security-cleared contractors.
Basically in the past we have said that there if is no required access to classified information, there is no required access to a classified area, the blueprints or the project are not classified.
Based in large part on the reality but also on the Auditor General's observations, the change we will make is we will now build into the decision at the front end what the DSO is referring to as a much more rigorous assessment of threats and risks, which are life-cycle, end-use issues around the building to determine whether the overall building should be classified.
:
Thank you, Mr. Chairman.
I guess the Auditor General gave the nod that you should be congratulated for a good business plan and a path forward. Obviously I should congratulate you for that, Mr. Fonberg, and for taking action.
I don't want to speak for everybody, but I think certainly one reason for some of the frustration and additional questions is that post-9/11 it still took an auditor general's investigation to really cause action to happen in this regard. It was obviously long overdue. There is that kind of feeling here. I know that there's no answer regarding that, but that's certainly the concern that I and some of the committee members have, that there should have been some mechanism so that there would have been a review and more initiative taken.
It does concern me that, as you mentioned, you did not find out how the blueprints got there. It sounded as though you weren't really concerned about investigating that aspect, about how they arrived in the middle of Bank Street, or talking to the vendors. Did I hear that correctly?
:
There are two different issues, Mr. Chairman. I think we are already in the process of looking internally. We will probably set a threshold that is beyond the government security policy for the actual classification of our buildings. We will strengthen the assessment of threats and risks in terms of the classification.
With regard to the handling of documents, I actually share the member's frustration. I think we were all puzzled, in some ways, to find out after the fact—maybe some of my colleagues before the fact—that there actually were absolutely no rules for the handling of unclassified documents.
So in my deliberations and discussions with Treasury Board, I have certainly been arguing that they need to be very clear--either that there will be or there will not be. I may have a preference, but there are implications associated with those preferences, as well.
:
Mr. Chairman, I will share my time with my colleague.
Mr. Fonberg, Ms. Fraser appeared before the committee in February, after tabling her report. In this report, she states:
It is not known to what extent government information and assets may have been exposed to risk and who is accountable for that risk.
When she was asked if she could exclude the possibility that security had been compromised, she answered: “In our opinion, there is a risk that security was breached.”
How can an organization committed to defending and protecting the public get caught by... How is it possible that an audit from the Auditor General's office was needed in order to reveal a situation that could have been dramatic? We do not know what exactly could have happened. Why do you not have sufficient internal control?
Had there not been an audit by the Auditor General's office, could you have applied some process yourselves to analyze the situation and make sure that it never happens again? This is extremely worrying.
:
The member has raised a number of issues, Mr. Chairman.
First of all, in terms of the issue of a breach of security or handling of classified information, the purpose of our review of the 8,500 contracts that were let is to ensure, ourselves, that in fact there were no breaches. If we discover that there may have been a breach, then we will take actions to deal with that.
I think one of the things the Auditor General's report showed--she is here, and she can speak to her report—was that there are systemic issues around this, that the government security policy itself, Treasury Board policy, was less than perfectly clear, Mr. Chairman, which led to different interpretations for those who actually were trying to manage projects, particularly construction projects. My understanding is that her recommendations to us, to the RCMP, to Public Works, and to Treasury Board will bring coherence and alignment, so that the challenges we actually experienced, which the Auditor General pointed out in her report, do not occur again.
:
Mr. Chairman, perhaps I can add a bit more with regard to our internal regulation and looking at the seriousness of this issue. Going back to 2005, the initial indications from the people in North Bay that there were difficulties on that base, reported through their chain of command to 1 Canadian Air Division, which asked for the services of the Canadian Forces national counter-intelligence unit to launch an investigation as to what occurred in this regard, they are looking at, again, the kinds of security issues and risks that the departmental security officer mentioned, looking at that whole thing, because again, leadership takes this very seriously. If there were indeed any kind of disciplinary action required, automatically it would go across to the Canadian Forces national investigation service in that regard.
So those investigations were launched. In addition to that, the military police launched an administrative review on how this situation could have percolated to that point.
Following the conclusions of those, and again, given the context that the deputy minister just mentioned—these policies that were not sufficiently specific because they had not been updated after 9/11, as we've described earlier—that provided the context. So having done an administrative review, a national counter-intelligence review, a national investigative service review, we then launched our own chief of review services to have a look at this, in the fall of 2006, with their director of sensitive evaluations and investigations, so another review of the situation, and then based upon the technical valuations of what was occurring, going into the mitigation measures.
That is just to say that these processes happen in parallel and are complementary to each other to ensure that the action plan is as comprehensive as we can make it to ensure for the security, and indeed the credibility, of this facility as we move forward.
:
I have found this session educational. Maybe it wasn't really necessary, but I found it educational. I'm not an expert in this area. I'm reassured by the testimony I've heard today, Deputy Minister and Lieutenant Colonel Shuster, and by the answers I've heard from you folks today.
I also want to thank, of course, the Auditor General and her staff, because she is sort of the catalyst for all the changes that have taken place here. Without her report, maybe we wouldn't have this good report card we're getting today.
I do want to pursue one area. I anticipate that there may be people in the public or members of Parliament who assume that the simple solution in the defence department is to just classify everything as “classified”. But as I said, this has been educational to me.
If an entire building such as the Trenton facility were a classified facility, I'm assuming that the contractor, the subcontractor, the architect, the engineers, the tradespeople, the workers on it, the key suppliers, and key service providers to the whole project would all have to go through some fairly stringent clearances. Is that correct, Mr. Fonberg?
:
Thank you very much, Chair.
I think we are actually getting to the bottom of the great National Defence blueprint blunder. It would seem that proper procedures were followed that allowed what most of us would call highly sensitive documents to be thrown in a dumpster. Therefore, proper procedures in this case are just stupid. I don't think you would find a single person--including in your review--in Canada who wouldn't say that leaving blueprints like that lying around is not in the best interest of the security of our country and our personnel. It's that simple.
I'm hoping and expecting that as a result of your review there'll be a change in the policy. The deputy minister has said that those documents were not outside the bounds of what the contractor can do with those blueprints. Hopefully in the future that will be outside the bounds of what a contractor can do. I think we've sussed out that much. While procedures were followed, they are woefully inadequate to provide the basic protection Canadians expect the Department of National Defence to provide.
Having said that...and I'm comfortable that this is where we are. If it isn't, I'll be arguing that you come back here and defend a policy that didn't make the change that makes this out of bounds.
But assuming that's where it is, Mr. Nicholls, I want to talk to you, sir. If it's currently not against procedures for these things to be thrown in the dumpster, your agency is responsible from a common-sense point of view. What is your defence for these documents--that you would be responsible for--ultimately being thrown in the dumpster? How was that okay in terms of your responsibilities, sir?
:
Everybody is going to check all the procedures, but at the end of the day, there is absolutely no common-sense support for this. You can run around and say that it was classified, it was unclassified, it goes into this category, it goes into that category, but the bottom line is that when we have a unit that deals with that kind of security, which is being built in Canada, and the blueprints end up in the dumpster, it's not okay.
You can hide behind all the policies in the world. The only thing I can hope for is that after everyone leaves here, we come back in a very short period of time with a whole new process that allows us, when the procedures are nicely followed, to actually get some common-sense security, because that's what this is about. It's about common sense, and not about whether something was ticked off in a box as being classified or unclassified.
If I have any frustration here, Mr. Chair, it's that we're not getting enough people saying, “Yes, committee, we accept that this doesn't make sense. We're going to go back and do all we can to make sure it doesn't happen again.” I'm not hearing that. I'm getting a little bit of it, but mostly it's, “Well, it wasn't classified, so we can do anything we want with it.” And I have to tell you that at the level of the ordinary citizen, this is just not acceptable. We expect better from all of you here than to be in a situation in which those kinds of blueprints end up in a dumpster. That just ought not be, and it can't be again in the future.
So please, come back to us with policies that will ensure that no one ever again has to deal with a blueprint blunder like this in the future.
Thank you, Mr. Chair.
:
I do just very briefly, Mr. Chairman.
There is a common-sense element to this, but the simple reality is that in a department that deals with 20,000 contracts or something per year, you need more than common sense. You actually do need policies, and you do need procedures.
I would not want to give the member any false hope that the outcome will be different, although, the policies and procedures will be different. We will spend more time at the front end of every project assessing its risks and threats, which is essentially how I interpret the Auditor General's concerns about the end use of the building and the life-cycle realities of what might happen in that building. But I would not want to give false hope in any way that applying that new set of policies and procedures would necessarily or absolutely lead to a different outcome on the classification of these blueprints. It would come out of a process. We have policies. We have procedures.
If you're asking us--
:
I only have one brief question. I find this whole story of lost documents found in rubbish bins embarrassing. Nevertheless, as a former manager of large projects, which I was before I became an MP, I have a reflex that makes me appreciate your current efforts to evaluate the inherent risks of the project, at the very outset. I think that you are on the right track. However, it is a unfortunate that such documents could have been lost.
Also, regarding large projects, there is a documentation system. From my past experience with all things having to do with the banking systems or with certain suppliers through the Canadian Forces, I know that the suppliers are expected to keep very strict documentation.
Mr. Glynn Hines, who is in charge of information management, could perhaps tell us how the major projects of National Defence are documented? Are there any practices for distributing documents, is there any requirement for treating certain documents with special care when they deal with projects? Could he also tell us about the standards for conserving documents, how long they are kept and what kind of documents are kept by the department? Were the plans that got lost in the trash can eventually recovered?