RCMP review prompted by employee's arrest urges changes to bolster internal security

OTTAWA — A confidential RCMP review, conducted after the arrest of a senior employee for allegedly leaking classified information, calls for a fundamental shift in the security culture of the national police force to be led at the highest levels.

The newly disclosed report makes 43 recommendations, including training updates, stricter adherence to federal security screening standards and the possible introduction of random physical searches.

The review "confirms gaps in the security practices of the RCMP that could be closed or at least narrowed," says a message in the report from the joint chairs of the exercise.

"The security posture of the RCMP can and should be improved to reduce the risks to the RCMP and to protect public safety," it reads.

The review, led by a retired RCMP superintendent, followed the September 2019 arrest of Cameron Jay Ortis, who was then director general of the force's National Intelligence Co-ordination Centre.

Ortis is accused of violating the Security of Information Act by allegedly revealing secrets to an unnamed recipient, as well as breach of trust and a computer-related offence. A trial is slated for next year.

The review, ordered by RCMP Commissioner Brenda Lucki, looked at organizational factors and security issues related to personnel, physical settings and information technology, as well as the "insider threat" from within the force.

The resulting report, completed in June 2020, was disclosed only recently to The Canadian Press in response to an Access to Information request filed 19 months ago.

Several portions of the 78-page document were considered too sensitive to release.

The report says a management plan was being drafted to map out how the force could make changes. In response to questions about progress on specific measures, the RCMP indicated the effort is still underway.

"The RCMP is committed to addressing the recommendations resulting from the review which provides the organization with an opportunity to modernize our security practices and posture," said Mountie spokeswoman Robin Percival.

"We continue to examine and adapt our security posture to protect the RCMP's information, assets, and people given the ever evolving landscape facing a national police force."

The review team drew on the knowledge of experts across the RCMP and examined past audits, evaluations and security-incident files.

It also looked at information from the investigation of Ortis, known as Project Ace, on a "need-to-know basis," the report says.

This information was supplemented through 53 employee interviews that allowed the team to "study the breaches Ortis is suspected of perpetrating, which, in turn, informed efforts to identify vulnerabilities."

However, some individuals could not be interviewed in order to preserve the integrity of the criminal investigation.

Among the report's key findings:

— security awareness training was not mandatory at the RCMP, and the training that did exist was out of date;

— a pervasive attitude that security restrictions were something that needed to be worked around to get the job done;

— although the RCMP processed requests for security clearance updates and upgrades, limited resources were directed toward scrutinizing new hires, meaning delays and backlogs concerning updates for current employees;

— a lack of standards on management of information technology assets, including portable storage devices;

— approval for access to computer systems, such as the Canadian Top Secret Network, was being granted even when an employee's duties did not require access;

— a sense that employees were reluctant to report security incidents because they were afraid of the consequences to themselves or to colleagues; and

— organization-level factors, including poor management practices, inefficient communication between different areas of the RCMP, and a persistent belief that existing security controls were sufficient, contributed to "the creation of opportunities for exploitation."

The report stresses that the allegations against Ortis have not been proven in court. But the review team concluded he was able to gain and hold the trust of a number of senior leaders.

"The level of trust and confidence Ortis garnered appears to have resulted in the common Insider Threat warning signs that surfaced well in advance of Ortis' arrest being missed."

The report says the purported breach by Ortis could prompt valued partners to deny the RCMP access to sensitive material crucial to fighting crime, protecting public safety and preserving national security.

"The effort and cost to re-establish lost access and capabilities can be considerable," the report says.

As such, it was important to undertake a critical internal examination of not only broad security issues, but the environment inside the RCMP that "was a critical factor in how the events unfolded."

The report recommended numerous changes, including steps to:

— strengthen the role and influence of the RCMP's chief security officer;

— implement the Treasury Board standard on security screening to the greatest extent possible;

— develop specific mandatory training solutions to address insider threats and increase knowledge and awareness of security responsibilities;

— have the Department of Justice provide guidance on how to conduct random physical security checks;

— consolidate the number of high-security zones with classified networks and printing locations to a strict minimum;

— conduct an analysis of positions requiring access to the Canadian Top Secret Network;

— integrate physical security controls into future buildings from the outset;

— create a new policy centre for insider threats within the departmental security branch;

— develop a program to provide continuous assurance of an individual's reliability when warranted;

— implement an online means to submit an anonymous security incident report; and

— update security clearance forms to include vulnerabilities and pressures that RCMP employees may be experiencing.

"The vast majority of employees of the RCMP are dedicated and loyal but, as Ortis' alleged actions demonstrate, we can no longer trust without regularly verifying," says the message from the review's joint chairs.

The report reveals the criminal and administrative investigations and various internal processes triggered by the Ortis case "have resulted in millions of dollars in additional costs" for a force struggling to meet the core policing elements of its mandate.

It concludes that implementing the recommendations must be done "in conjunction with a clear shift in the security culture of the RCMP led by the highest echelon of the organization."

But the report cautions it is impossible to remove all security risks.

"Even where the RCMP has made prudent risk decisions, puts the right security controls in place, and enables a robust, risk-aware security culture, it cannot completely guard itself from employees making individual decisions to use their knowledge, privilege, and access rights to circumvent these controls and harm the organization and Canadians."

This report by The Canadian Press was first published Oct. 30, 2022.

Jim Bronskill, The Canadian Press