The RCMP was struggling to keep staff security clearances up to date during the time a senior employee allegedly tried to pass secrets to adversaries, an internal Mountie audit shows.
The audit report stressed the importance of regularly reviewing the security status of RCMP employees to guard against the threat of an insider betraying the national police force by sharing sensitive information with the wrong people.
The auditors found all of the RCMP sections across Canada responsible for screening had “a significant backlog” of security updates to do, as well as smaller backlogs of new clearances and upgrades to higher security levels.
Overall, the audit concluded that “risks and gaps” were hampering effective delivery of the security-screening program to the force’s nearly 30,000 employees, 25,000 contractors and more than 17,000 volunteers in over 700 communities.
The little-noticed Audit of Personnel Security, completed in 2016 and quietly made public in edited form last year, takes on new relevance following the arrest this month of RCMP intelligence official Cameron Jay Ortis.
Ortis, 47, is accused of violating three sections of the Security of Information Act as well as two Criminal Code provisions, including breach of trust, for allegedly trying to disclose classified information to an unspecified foreign entity or terrorist group.
RCMP Commissioner Brenda Lucki has said the allegations against Ortis, if proven true, are extremely unsettling, given that he had access to intelligence from domestic and international allies.
The charge sheet lists seven counts against Ortis under the various provisions, dating from as early as Jan. 1, 2015, through to Sept. 12 of this year, when he was taken into custody. He is slated to make his third court appearance today.
“One of the many questions raised by the Ortis case is what internal security measures failed or might have failed,” said Wesley Wark, an intelligence expert who teaches at the University of Ottawa.
“The question of security clearances and security monitoring must be front and centre.”
The RCMP’s personnel security program aims to ensure the reliability and security of people who have access to the force’s information systems, data and premises, the internal audit says.
This is achieved through the force’s security-screening process, which supports the issuance, denial, suspension or revocation of basic RCMP reliability status or, if required by the position, a secret or top-secret security clearance.
A top-secret “enhanced” clearance entails extra screening including a polygraph examination, commonly known as a lie-detector test.
Reliability status and secret clearances are valid for 10 years, while top-secret clearances must be updated every five years.
“Updates are a critical insider-threat mitigation measure,” the audit report says.
Lucki told a Sept. 17 news conference that Ortis held a valid top-secret clearance but said he had not undergone a polygraph test.