Evidence of meeting #36 for Public Accounts in the 39th Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was classified.
A recording is available from Parliament.
11:50 a.m.
NDP
David Christopherson NDP Hamilton Centre, ON
Okay, classified documents.
So we have two questions. First, were all the procedures and policies followed? I've just heard, no, there were mistakes made--
11:50 a.m.
Deputy Minister, Department of National Defence
Just as clarification, my comment was with respect to North Bay.
11:50 a.m.
NDP
David Christopherson NDP Hamilton Centre, ON
That's too bad. I was hoping you were going to tell us that this was the problem.
11:50 a.m.
Deputy Minister, Department of National Defence
I apologize. I should be clear that in this context our investigation immediately, as soon as this became apparent through the newspapers, showed no breach of any policy.
11:50 a.m.
NDP
David Christopherson NDP Hamilton Centre, ON
Assuming that's the case--I'll just jump ahead a bit--I was a little disappointed to hear you say, sir, that you have a review going on and the recommendations and findings will be available at the end of this month. That is convenient in that we would have already met.
Was there any attempt, on your part, to call the clerk's department and say, “I have an internal review. You might want to hold off on your hearing until you get that review”? I'll give you a chance to comment on that. I found that it looks a bit strange that this well-publicized meeting is going to happen before the internal review is done, and there didn't seem to be any attempt to try to coordinate those things--the things at hand, the blueprints.
The other question is, should they have been labelled classified? Even if you followed all the procedures and ticked off all the boxes, that doesn't make the world okay. It's only a human-created piece of paper with human-created little boxes that may have got checked off, but at the end of the day maybe that procedure needs to change. Maybe that's where we are. Maybe that's what we'll find out from today. Your internal procedures were okay in terms of the boxes being ticked off, but we need to generate a whole new checklist and we need other boxes to be ticked off maybe in a more timely fashion.
But I have a real problem accepting that it's okay and it's not a big deal that blueprints for the new Canadian Joint Incident Response Unit in Trenton were found in the garbage. Let me get this straight. This unit is going to be the military's main responder to chemical, biological, and radioactive threats. That's what this centre is for. The design plans show, as far as we know, the electrical grid scheme for the unit's computers and details about sewer systems, areas for workshops, seed container loading docks, and offices for the unit's various troops. There is also a blueprint for the storage bay for the unit's robots, which are designed to detect chemical and biological agents. Never mind the checklist.
Somebody here please tell me, in a layperson's way, how that is not a security risk at some point. I'm a layperson. Explain to me how blueprints that show that kind of detail about the building are not a risk that you shouldn't take.
11:55 a.m.
Deputy Minister, Department of National Defence
Mr. Chairman, first of all, on the issue of the review that is being done by the chief of review services--an error perhaps of omission that we did not inform the clerk, certainly not an error of commission--the timing of that review was always intended. I don't remember exactly the date the blueprints were found. I asked for the review to be done shortly after that, long before the timing of this hearing would have been set up. So I apologize for not having thought through the idea of informing the clerk that perhaps we wanted to wait.
We'll certainly make the results of that review to the extent there's nothing classified. I expect there will be nothing classified in that review. The report will be available to the committee as soon as it is available.
On the member's other question, Mr. Chairman, on the nature of the blueprints, I would turn it over either to Colonel Mike Day, who will be the owner of this building shortly, or put it back to the DSO. I am not unsympathetic to the questions the member is raising. All I am telling you is that we followed a process—process is not unimportant—established under the government security policy. Through our own departmental security policy we did a security requirements checklist on this project, and we came to the conclusion that the blueprints did not need to be classified.
I would just say, by way of closing, and then turn it over, that as it turns out, the electricals on those blueprints, as I understand them, were about 50% aligned or correlated with the final electricals within the building.
I'll turn to my colleagues for any comments they may want to make on the actual intention.
11:55 a.m.
Col Michael Day Commander, Canadian Special Operations Forces Command, Department of National Defence
Mr. Chairman, thank you.
With regard to the blueprints and to the actual questions, I reiterate that the process that was followed did identify, as was discussed, all the checks in the box. Subsequent to both the Auditor General's findings and the complete acceptance of all those, a subsequent review was done with the security checklist being examined. That resulted in the decision that the actual shell of the building was not to be classified at that time. Subsequent to the blueprints being found in the garbage, that process has once again been revised, and certainly in hindsight, as the deputy minister has mentioned, we will relook at those criteria in order to determine if additional checks need to be considered.
With regard to the actual threat itself, we take that business, as the Vice Chief of the Defence Staff has said, very seriously. We go through a continuous review to determine whether or not we have risk or exposure to a variety of different threats and that isn't a one-time deal. As a result of this incident--I believe the blueprints were found on March 13--we immediately initiated an internal review of those security measures, not only of the building on site but the unit itself, to determine if there were any present threats that were identified. There have been none at the moment, which doesn't mean to say that abdicates our responsibilities. Rather, we subsequently looked at the renewed process and whether or not we would come to a different conclusion as those processes get changed. I believe, as the deputy minister said, we would likely come to a different conclusion.
What we have done in the interim is look at what we can do to mitigate that risk. I am satisfied that both internally, in my command within the CF, and in the department we have taken all reasonable precautions to ensure that any subsequent threat is of a reasonable nature and that we will be able to continually implement those improvements, as well as continue to review the threats and risks that we face.
11:55 a.m.
Liberal
The Chair Liberal Shawn Murphy
Thank you very much, Colonel Day.
We're going to go to Mr. Holland for seven minutes.
11:55 a.m.
Liberal
Mark Holland Liberal Ajax—Pickering, ON
Thank you, Mr. Chair.
I want to start with the scope of this. If you take the NORAD facility as an example, this is a major breach. You said this was a mistake. The problem is that it isn't just a security issue; it's also an issue in terms of the trust and support that we have with our allies and NORAD. When they're turning to us to work with them, if things that should have been classified....
You're saying that, in retrospect, this was an error and it should have been classified. I find it hard to believe that when we're dealing with a NORAD facility there would have been any other conclusion other than it should be classified. That hurts us. It hurts us not just in terms of a security risk, but also in terms of working with our NORAD partners.
I'm confused now because the comments of Colonel Day seem to indicate that there was a mistake in the classification of the facility, the Canadian Joint Incident Response Unit in Trenton, and that should have perhaps been classified.
There was a definitive statement that the NORAD incident was a mistake. Perhaps in the incident where this was thrown in the garbage, the Canadian Joint Incident Response Unit blueprints should have been classified. But in the Auditor General's audit, we found that 99% of the security requirements checklists were not completed, were not done.
So it's not as if this is a one off. If we start with 99% not being done, should there not be an assessment being done in all of those instances, before contracts are awarded, especially if it's for something like a NORAD facility? But in general, is that not something that should be done? Is there a commitment to take us from 99% to zero?
Noon
Deputy Minister, Department of National Defence
Mr. Chairman, on the issue of U.S. confidence, the U.S. is, as I understand it, very comfortable with the state of that building and its actual use. They have sent their own teams to have a look at that building. So they are now very comfortable.
The only thing I would say in response to the member's question or concern around U.S. confidence is that, as I think the relationship has shown over and over again, confidence comes from recognizing any errors we might have around these kinds of things and fixing them quickly, fixing them in a way that actually works for both parties. I believe that actually has been done in the context of the North Bay facility, just from the perspective of U.S. confidence.
On the issue of the JIRU building and whether we made a mistake, I think I would actually like to correct the record, or at least address the comment. I'm not sure the colonel said that we made a mistake. I think the colonel said that if we were to look at it again, if we were to look at the threat and risk assessments around this, would we have done this differently? And I think the answer is, yes, maybe we would have done it differently. So I'm not sure that I heard the colonel--but I stand to be corrected--definitively say that we would have done it differently.
On the issue of 99% and moving that down, we now have in the department, essentially operationally formally required next month, every project over $5,000 either requiring a security requirements checklist or certification--as proposed by the Auditor General--that there are no security issues.
Noon
Liberal
Mark Holland Liberal Ajax—Pickering, ON
Maybe it's splitting hairs, but when you say in retrospect you would have done something differently and maybe it was not handled properly, whether or not you want to call that an error or whatever, my point remains.
My concern , and I want to hear a little more clearly, is what you're doing with respect to the classification of buildings, and secondly, how you're going to handle documents at various security clearance levels.
I don't accept, and I hope you don't accept, that blueprints being found in the garbage or being abandoned in some way that somebody else can pick up is acceptable, particularly if we say that maybe in retrospect those blueprints should have been classified.
Is there a policy, or are you looking at a policy, to handle documents of different security levels in such a way that this type of behaviour would be prevented? And can I ask what consequences there would be for individuals who would breach those new protocols, if established?
Noon
Deputy Minister, Department of National Defence
Mr. Chairman, on the issue of document handling and classified documents, there is already a very clear process in place for how classified documents are to be handled, who is to have access to them, the kinds of security clearances they actually require--
12:05 p.m.
Liberal
Mark Holland Liberal Ajax—Pickering, ON
I'm sorry to interrupt, but under that system you said that there wasn't a problem with these documents being on the street. You said you had done a review of that and that it might not have been ideal but there was no problem with it under the current protocol.
Is that something you're comfortable with? Because I'm not, I'll be honest with you. And I have a question for the auditor in terms of whether she's comfortable with that.
Are the protocols going to be changed such that this type of behaviour is not something that would be accepted and there would be consequences for it?
12:05 p.m.
Deputy Minister, Department of National Defence
Mr. Chairman, again, let me make sure I understand the question clearly. Maybe the Auditor General understands it more clearly than I do.
These documents were unclassified. The government security policy does not require unclassified documents to be handled in any particular way. Do I personally like the idea that these blueprints ended up in a dumpster somewhere? No. Is there a requirement, an obligation under a policy to handle them differently? No. Is it being addressed in the context of Treasury Board's review of the government security policy? Yes.
12:05 p.m.
Liberal
Mark Holland Liberal Ajax—Pickering, ON
If I have a second, maybe I could go to the auditor. Do we not need a system that demonstrates what's going to happen with documents of various security clearances? We've seen how this has really undermined public confidence in security, when these documents were found in the way in which they were and we were told that the current protocols allow for that, there are no consequences.
Do you not feel we have to have some protocols on how we deal with these documents, lest they be found in the manner that they were? That really undermines confidence.
12:05 p.m.
Auditor General of Canada, Office of the Auditor General of Canada
Mr. Chair, as the deputy has indicated, there is quite elaborate policy and guidance to all government officials on how to deal with documents that are classified. These blueprints were not classified. They would be the same, quite frankly, as a memo pad in an office somewhere. It goes out in the garbage, and--
12:05 p.m.
Liberal
12:05 p.m.
Auditor General of Canada, Office of the Auditor General of Canada
Well, the issue comes back to the fact that under the practices of the department at that time the shells of the buildings, in most cases, would not be considered classified. It was only when they started to do the fit-up of what goes inside that they then would look at classification.
One of the issues coming out of all this is that maybe they should be considering what is going to happen inside that building much sooner in the process--I think the department agrees with that--and what the context is around that building. In this case, I believe it was a training centre. A training centre in and of itself may not be particularly sensitive, but if you have sensitive conversations going on there, which one might think could happen in this particular location, maybe you would want to think about the security earlier.
This is one of the issues that I think are coming out of this whole thing. The way of treating the building as a shell, as being unclassified, meaning that all the plans for that are unclassified and open to the public, to people who are contracting on it, may not be the best way of going about this and that there should be a more rigorous security consideration given to what is going to happen in those buildings earlier in the process.
12:05 p.m.
Liberal
The Chair Liberal Shawn Murphy
Thank you, Mr. Holland. Thank you, Ms. Fraser.
Mr. Lake, seven minutes.
June 3rd, 2008 / 12:05 p.m.
Conservative
Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB
Thank you, Mr. Chair.
I have the same questions that my colleague Mr. Williams had regarding why we're here today. I note that in the Auditor General's statement, in paragraph 11, she says:
The Department has put together an action plan and, as you know, has shared it with the Committee and with us. We believe that it represents a reasonable plan to address the concerns raised in our chapter, and we were pleased to note that the Department has set for itself specific deliverables with deadlines for implementation.
We don't very often get to read paragraphs like that from the Auditor General. It's not very often that we bring people back to congratulate them on actually doing what the Auditor General recommended, so congratulations.
12:05 p.m.
Auditor General of Canada, Office of the Auditor General of Canada
I'm sure the deputy wouldn't mind if you congratulated him, though.
12:05 p.m.
Conservative
12:05 p.m.
Deputy Minister, Department of National Defence
I'll just take the afterglow from the Auditor General here. Thank you, Mr. Chairman.
12:05 p.m.
Conservative
Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB
Do you guys want time for a hug?
I do want to use this as a little bit of a learning experience, though, if I could. The Auditor General was referring to this just a little bit when she states in paragraph 9
The committee may want to ask the department how and when it determines the security levels of its buildings and what risks it accepts in that process.
As I read the rest of the paragraph before and just listened to the Auditor General, I had the same questions. It seems odd to me that something that would eventually be deemed classified would at some point earlier in the process be deemed unclassified, especially if it's known that eventually it's going to be an area where stricter security measures will be needed.
Maybe you could speak to that a little bit in terms of how and when you determine the security levels of the buildings.
12:05 p.m.
Deputy Minister, Department of National Defence
Yes. I'd be happy to, Mr. Chairman.
Actually, I will ask the departmental security officer to speak to it. Just before I do, though, I will address the question that a previous member was asking and that the Auditor General actually answered. We are attempting to address that question of the front-end look-out to the end use of the building and the life cycle of the building. We are doing that by reworking our own internal security policies—again, they'll ultimately be consistent with the government security policy—to put more emphasis on the assessment of threats and risks at the front end, which becomes the trigger or the keystone for determining whether or not we do a security requirements checklist, which ultimately determines the classification of the blueprints.
Let me just turn to my departmental security officer for a moment to reply to the member's question around how and when buildings actually get classified.