Public Accounts Committee on June 3rd, 2008

Hear, hear!

Thank you, Mr. Chair.

We thank you for this opportunity to further discuss our work related to chapter 1 in our October 2007 report, the chapter entitled “Safeguarding Government Information and Assets in Contracting”, in particular, the issues we raised about the construction of the NORAD above-ground complex at the Canadian Forces base in North Bay.

As you mentioned, I am accompanied today by Hugh McRoberts, Assistant Auditor General; and Bruce Sloan, principal.

Perhaps I can begin by providing the committee with a quick summary of our audit findings since we first raised this issue. We first reported our concerns about the construction of the NORAD building in North Bay in chapter 6 of our May 2007 report. At that time, we noted that several questions about the security of the building remained, and we highlighted four important security issues, that: there was no security requirements checklist, and the department acknowledged that the review had not been done; the blueprints for the building had been placed in the public domain when they were made available to any interested contractor; there was limited physical control of the building and access to the site during construction; and finally, the workers on site had not been security cleared to work there.

We were also concerned because questions about the security of the building were delaying the move from the underground complex and delaying the realization of any savings that this move was to generate for National Defence.

At the time of our May report, National Defence was in the process of assessing possible weaknesses caused by the lack of security during construction. The department was also determining the steps it needed to take to insure that the building was secure for NORAD and other base operations.

In chapter one of our October 2007 report, on “Safeguarding Government Information and Assets in Contracting”, we decided to follow up on the progress the department had made in insuring the security of the building. The department informed us that after investigating, it had determined that the building could be used as intended if modifications were made. These modifications were due to be made by mid-September 2007.

I believe that National Defence has since informed this committee that modifications were made to fix construction defects and install monitoring equipment. The modifications, the details of which I understand to be classified, were intended to mitigate any potential security compromises. As our audit work was substantively completed in August 2007, we cannot comment on the actions the department has taken since then.

The department has also indicated to this committee that the nature of threats is such that eliminating risks is likely impossible. However, the department is satisfied that its mitigation measures addressed security concerns. Nevertheless, the department has also informed the committee that it is still assessing the best way to move two systems used for NORAD operations from the underground complex into the new building. We believe that one indicator of how well security concerns have been addressed is whether all the systems that were to be moved into the building are, in fact, there. The committee may wish to ask the department when it expects to be able to relocate those systems.

Our audit showed that many of the problems we identified may have been avoided if the government security policy had been adhered to more strictly at the beginning of construction. For example, completing a security requirements checklist might have helped the department identify security concerns before they became problems.

In its action plan, the department has committed to putting in place an interim policy on the responsibilities and obligations of all members of the department for security requirements checklists.

It appears that most buildings are treated as unclassified structures when construction begins. In testimony before this committee, departmental officials said that as building construction progresses, security requirements can change from those needed at a bare-ground, unclassified work site to those needed at a classified, clearance-required site. Although the purpose of the facility remains the same throughout the project, security may only be considered fully later when the department is preparing to make the building operational. The committee may want to ask the department how and when it determines the security levels of its buildings and what risks it accepts in that process.

As well in previous testimony, there was discussion about whether the roles and responsibilities for construction security were clear between National Defence and Defence Construction Canada. In its action plan, National Defence committed to revising the memorandum of understanding it has with Defence Construction Canada and to putting a framework in place to manage industrial security on defence projects. I understand that a revised memorandum of understanding has been signed.

The department has put together an action plan and, as you know, has shared it with the committee and with us. We believe that it represents a reasonable plan to address the concerns raised in our chapter, and we were pleased to know that the department has set for itself specific deliverables with deadlines for implementation.

Mr. Chair, this concludes my opening remarks. We would be pleased to answer any questions.

Mr. Chairman, members of the committee, thank you for this opportunity to speak with you today.

First, I would like to apologize to the committee for any misunderstanding that the testimony given by representatives of the Department of National Defence in February may have caused. My intent in my letter of March 28, 2008, was to clarify that situation.

Let me assure the committee that the Department of National Defence takes the security concerns identified by the Auditor General very seriously, and let me say that we accept without reservation the findings and recommendations of the Auditor General's October 2007 report.

We have developed an action plan to address the problems identified by the Auditor General.

And in consultation with the Treasury Board Secretariat, Public Works and Government Services Canada and Defence Construction Canada, we are moving ahead on its implementation.

The committee was first provided with a copy of the action plan in March. And I believe that the committee has also received an updated copy of the plan.

Let me briefly outline for you some of the measures that have already been taken to improve security in National Defence contracting as a result of the action plan.

As of January 2008, we are confident that all National Defence construction contracts have a completed security requirements checklist or an attestation from the project authority that there are no security issues involved. This procedure will be formalized by 31 July, 2008, with the promulgation of a departmental directive on industrial security policy. As of next month, all contracts above $5,000—construction and otherwise—will comply with this requirement.

As well, the action plan references a memorandum of understanding between the Department of National Defence and Defence Construction Canada specifying the roles and responsibilities of both sides when it comes to security and contracting. As the Auditor General has just mentioned, this MOU has now been signed by National Defence and Defence Construction Canada. We have a copy of it to table with the committee if you so desire.

In addition, Mr. Chairman, as a result of the action plan, we are updating our industrial security policies and procedures to ensure that they meet or exceed those in the government security policy, which is being revised, as you know, as well as its standards and directives. We are improving security awareness and education on this issue within National Defence, and we are increasing our capacity to effectively oversee and enforce the industrial security policies and procedures that are being established.

National Defence is also taking steps to address possible security issues associated with the 8,500 contracts let between 2002 and 2007, as identified in the Auditor General's report. We have begun a risk-based review of these contracts to determine if there may have been a compromise of classified information or assets. Our reviews are continuing and, as noted in the action plan, we expect them to be completed by 31 July, 2008.

Finally, Mr. Chairman, I would like to speak to the concerns raised in your April 10, 2008, letter regarding the recovery of blueprints for the Canadian Joint Incident Response Unit being built in Trenton.

Our preliminary review of this situation indicated that departmental and Treasury Board security policies were followed. A security requirement checklist was completed prior to the award of the contract for the design and construction of this facility.

The blueprints contained no classified information and there was no requirement for contractual security provisions relating to their preparation. The facility itself is located within a restricted area of CFB Trenton, to which access is continuously controlled. The contractor and subcontractors were screened for reliability, and all others who required site access were escorted.

All that being said, I have asked my chief of review services to conduct a detailed review of this matter, and I anticipate receiving his findings and recommendations by the end of this month.

In conclusion, Mr. Chairman, let me again assure the committee that the Department of National Defence takes the security concerns identified by the Auditor General very seriously. The Auditor General has highlighted important concerns with respect to the department's approach to classifying construction projects. We must ensure that our assessments of threat and risk consider all security aspects of any new facility, including its future use, so that appropriate safeguards are in place from the outset.

Senior leadership within the department are fully aware of the matters raised by the Auditor General and are committed to rectifying these matters, as noted in our action plan.

I certainly regret any misunderstanding caused by the department's previous testimony and hope that my letter, and comments today, have clarified any discrepancies.

I'd like to thank the committee for the opportunity to personally address this issue today. I would welcome any questions you may have.

Thank you.

Mr. Chairman, honourable members, I am pleased to appear before you again. At the last Public Accounts Committee meeting I explained DCC's role as contracting authority for DND infrastructure projects and how DCC is accountable for taking the measures necessary to protect the sensitive information and assets identified by the department.

Since the April meeting of the committee, DCC has made excellent progress on its action plan to address the observations and recommendations of the Auditor General in her October 2007 report. Specifically, DCC has collaborated with DND in the review of security requirements for projects completed during the Auditor General's exercise and for all active contracts. As noted, DCC and DND have signed a revised memorandum of understanding that addresses our respective roles and responsibilities for the management of industrial security, and we've established a framework for the innovative management of security, as recommended by the Auditor General.

DCC has developed and implemented a comprehensive security policy covering all aspects of contracting, contract management, and the internal operations of the corporation. DCC has established a security management organization and has appointed corporate, regional, and site security officers. All of these officers have received security training, and all remaining Defence Construction employees will receive security awareness training within the next few weeks.

Threat and risk assessments for all DCC offices will be carried out by an independent agency in mid-June. These assessments address the physical security of offices.

In short, Defence Construction has made concerted efforts since the Auditor General tabled her report. I'm in a position to say that Defence Construction is managing the security requirements identified by DND in accordance with sound risk management practice and in compliance with the government security policy.

I'm of course prepared to answer any questions the committee may have.

Sir, they absolutely do. Security is a command responsibility. From the Chief of Defence Staff all the way down, commanders are seized of the importance of security. I would say that we have to inculcate a culture of security within the Canadian Forces and indeed with the Department of National Defence.

Mr. Chair, if I may, could I ask for clarification on the question?

Are you asking, sir, whether there--

Keep in mind that the project began in December 1995. A project manager would be responsible for this project.

I do not have his name. This site began, in terms of developing the statement of requirement, in December of 1995.

We'd be happy to get back to you with that detailed information.

I believe the Auditor General's report is very accurate on the lack of judgment by people in handling this case. Again, it speaks to the culture, where people did not understood the importance of security, especially in a facility of this importance to the security of Canada and our relationship with our American partners.

I was not in the department as part of this project. But we have to keep in mind the very different culture in the 1990s, the changes that occurred with 9/11, and then the significant changes in the culture of understanding the importance of security thereafter.

The security of the project when it began came under the auspices of the Chief of the Air Staff in the First Canadian Air Division. The commander of the First Canadian Air Division appointed a project manager on his staff to oversee this project with the commander in 22 Wing, which is North Bay, supported by the offices of the assistant deputy minister of infrastructure and environment.