Mandatory security awareness training among changes since arrest of employee: RCMP

OTTAWA – The RCMP says it has introduced mandatory security awareness training for employees, one of several changes prompted by the 2019 arrest of a senior civilian member for allegedly leaking classified information.

The Mounties say they have also made it easier to report security vulnerabilities, boosted the internal profile of departmental security operations and made strides toward creating a program to reduce the risk of personnel spilling secrets.

The moves follow a June 2020 RCMP review report that called for a fundamental shift in the security culture of the national police force, to be led at the highest levels.

The report, released last year through the Access to Information Act, made 43 recommendations, including training updates, stricter adherence to federal security screening standards and the possible introduction of random physical searches.

The review, led by a retired RCMP superintendent, began after the September 2019 arrest of Cameron Jay Ortis, who was then director general of the force’s National Intelligence Co-ordination Centre.

iStock.com/filo

Ortis is set to face trial in an Ontario court on charges of violating the Security of Information Act by allegedly revealing secrets on three occasions and trying to do so in a fourth instance, as well as breach of trust and a computer-related offence.

In preparing the 2020 report, the review team drew on the knowledge of experts across the RCMP and examined past audits, evaluations and security-incident files. It also looked at information from the investigation of Ortis, known as Project Ace, on a “need-to-know basis.”

The report stressed that the allegations against Ortis have not been proven in court. But the reviewers concluded he was able to gain and hold the trust of a number of senior leaders.

The report found security awareness training was not mandatory at the RCMP, and there was a pervasive attitude that security restrictions were something that needed to be worked around to get the job done.

There was also a lack of standards on management of information technology assets, including portable storage devices. Approval for access to computer systems, such as the Canadian Top Secret Network, was being granted even when an employee’s duties did not require access.

The reviewers also said employees seemed reluctant to report security incidents because they were afraid of the consequences to themselves or to colleagues.

Some recommendations were considered too sensitive to disclose.

Related: RCMP breached policy on collection of online information: audit

In response to a recent query from The Canadian Press on progress in addressing the report, RCMP spokesperson Marie-Eve Breton said that of the non-classified recommendations, many have been implemented while some are works in progress.

The RCMP has set up an online security event reporting program for employees to flag incidents, threats and vulnerabilities, Breton said.

In addition, a mandatory security awareness training course was initiated for all RCMP regular members, civilian members and public service employees to increase understanding of their security roles and responsibilities, she said.

Among the other measures:

• ongoing internal communications and security awareness campaigns about the security roles and responsibilities of all RCMP employees;
• an internal governance model for information technology security is being created, with short-, medium- and long-term considerations;
• where possible, the RCMP is consolidating and limiting the number of high-security zones with classified networks to a strict minimum based on operational requirements across Canada;
• within the force, departmental security is now a stand-alone program within Specialized Policing Services, raising its internal profile, and the chief security officer is now a member of the senior management team;
• and an insider risk program is being developed to help proactively ward off internal security problems.

The RCMP has confidence in its current security screening process, Breton said. She noted the multi-step process includes education and employment verification, credit checks, criminal record checks, open-source investigations, interviews and field investigations.

“As the risk and threat landscape evolves, the RCMP is committed to the continuous review and strengthening of security practices to protect information, assets and employees under our responsibility,” she added.

The efforts come amid the national security community’s struggle to contain leaks of classified information over the last year about allegations of foreign interference in Canadian affairs. The RCMP has launched a criminal investigation into the breaches, which include disclosure of classified materials produced by the Canadian Security Intelligence Service.

Feature image by iStock.com/.shock