OTTAWA—The RCMP was struggling to keep staff security clearances up to date during the time a senior employee allegedly tried to pass secrets to adversaries, an internal Mountie audit shows.
The audit report stressed the importance of regularly reviewing the security status of RCMP employees to guard against the threat of an insider betraying the national police force by sharing sensitive information with the wrong people.
The auditors found all of the RCMP sections across Canada responsible for screening had “a significant backlog” of security updates to do, as well as smaller backlogs of new clearances and upgrades to higher security levels.
Overall, the audit concluded that “risks and gaps” were hampering effective delivery of the security-screening program to the force’s nearly 30,000 employees, 25,000 contractors, and more than 17,000 volunteers in over 700 communities.
The little-noticed Audit of Personnel Security, completed in 2016 and quietly made public in edited form last year, takes on new relevance following the arrest this month of RCMP intelligence official Cameron Jay Ortis.
Ortis, 47, is accused of violating three sections of the Security of Information Act as well as two Criminal Code provisions, including breach of trust, for allegedly trying to disclose classified information to an unspecified foreign entity or terrorist group.
RCMP Commissioner Brenda Lucki has said the allegations against Ortis, if proven true, are extremely unsettling, given that he had access to intelligence from domestic and international allies.
The charge sheet lists seven counts against Ortis under the various provisions, dating from as early as Jan. 1, 2015, through to Sept. 12 of this year, when he was taken into custody. He is slated to make his third court appearance on Sept. 27.
“One of the many questions raised by the Ortis case is what internal security measures failed or might have failed,” said Wesley Wark, an intelligence expert who teaches at the University of Ottawa.
“The question of security clearances and security monitoring must be front and centre.”
The RCMP’s personnel security program aims to ensure the reliability and security of people who have access to the force’s information systems, data and premises, the internal audit says.
This is achieved through the force’s security-screening process, which supports the issuance, denial, suspension or revocation of basic RCMP reliability status or, if required by the position, a secret or top-secret security clearance.
A top-secret “enhanced” clearance entails extra screening including a polygraph examination, commonly known as a lie-detector test.
Reliability status and secret clearances are valid for 10 years, while top-secret clearances must be updated every five years.
“Updates are a critical insider-threat mitigation measure,” the audit report says.
Lucki told a Sept. 17 news conference that Ortis held a valid top-secret clearance but said he had not undergone a polygraph test.
The RCMP declined to tell The Canadian Press this week when Ortis, who joined the force in 2007, underwent his most recent security update.
The police force also provided no answers to questions about any steps the RCMP may have taken in response to the internal audit’s findings.
The auditors said the force’s departmental security program had “experienced challenges in meeting service level expectations” due to funding pressures and increasing demand.
Eliminating security-clearance backlogs would reduce risk to the RCMP and help the force direct program resources to new security-clearance files, the audit report said.
Security clearances, including renewals, are time-consuming, and renewals can be treated as less urgent because of an assumption that a previously cleared person can be trusted, Wark said.
Even so, backlogs of security-clearance renewals, especially those involving top-secret levels, are “a serious issue,” he said.
The case of Jeffrey Paul Delisle, a naval officer who pleaded guilty in 2012 to giving classified material to Russia, shows the system is not always on top of the challenges. Wark noted Delisle’s top-secret clearance had expired in 2011 but he continued to have access to sensitive databases.
Following the Delisle case, the government ushered in revised security-screening standards in 2014.
One new element was the concept of “aftercare,” which requires departmental security staff and other personnel to monitor and report on any changes in an employee’s situation that might raise security concerns, Wark noted.
Such changes could include misuse of drugs or alcohol, sudden changes in an employee’s financial situation, expressions of support for extremist views, or unexplained frequent absences.
“This is meant to be an ongoing process to cover the periods between clearance renewals and to counter the insider threat,” Wark said.