PACP Committee Meeting

     I would like to call the meeting to order and extend to everyone here a very warm welcome.

    Colleagues, today we're dealing with chapter 1, “Safeguarding Government Information and Assets in Contracting”, of the October 2007 report of the Auditor General of Canada.

    We are very pleased to have before the committee today, from the Office of the Auditor General, Sheila Fraser, the Auditor General. She's accompanied by Hugh McRoberts, Assistant Auditor General; and Bruce Sloan, principal.

    We do have a number of witnesses from the Department of National Defence. First of all, we have the deputy minister and accounting officer, Mr. Robert Fonberg. Then we have back again Lieutenant-General Walter Natynczyk, Vice-Chief of the Defence Staff; Scott Stevenson, assistant deputy minister, infrastructure and environment; Dan Ross, assistant deputy minister, materiel; Major-General Glynn Hines, chief of staff; Colonel Michael Day, commander, Canadian Special Operations Forces Command; and Lieutenant-Colonel David Shuster, director, deputy provost marshall security.

    From Defence Construction Canada, we have Mr. Ross Nicholls, president and chief executive officer.

    Again, I want to extend to each one of you a very warm welcome.

    Before I call upon the Auditor General for her opening remarks, I do want to introduce to the members of the committee and the witnesses some very special guests in the room today. We're very pleased to have a delegation from Uganda, including three members of their public accounts committee.

    We have the chair of the Ugandan public accounts committee, the Honourable Nandala Mafaabi. He is accompanied by two other members of the committee, Mr. Albert Odumon and Mrs. Margaret Kiboyijana. And with them, we have the clerk of the committee, Mr. Sam Emiku; the High Commissioner, Mr. George Abola; the director of administration and finance of the Ministry of Foreign Affairs, Mr. Samuel Kakula; the principal assistant of the Ministry of Finance, Mr. Lubega Yakub; and also Mr. Berti Kawooya from the High Commission.

    So on behalf of the committee and all members, I want to extend to you, the visiting Ugandan delegation, a very warm welcome.

    Some hon. members: Hear, hear!

    The Chair: Ms. Fraser, I understand you have opening remarks.

    Thank you, Mr. Chair.

    We thank you for this opportunity to further discuss our work related to chapter 1 in our October 2007 report, the chapter entitled “Safeguarding Government Information and Assets in Contracting”, in particular, the issues we raised about the construction of the NORAD above-ground complex at the Canadian Forces base in North Bay.

    As you mentioned, I am accompanied today by Hugh McRoberts, Assistant Auditor General; and Bruce Sloan, principal.

    Perhaps I can begin by providing the committee with a quick summary of our audit findings since we first raised this issue. We first reported our concerns about the construction of the NORAD building in North Bay in chapter 6 of our May 2007 report. At that time, we noted that several questions about the security of the building remained, and we highlighted four important security issues, that: there was no security requirements checklist, and the department acknowledged that the review had not been done; the blueprints for the building had been placed in the public domain when they were made available to any interested contractor; there was limited physical control of the building and access to the site during construction; and finally, the workers on site had not been security cleared to work there.

    We were also concerned because questions about the security of the building were delaying the move from the underground complex and delaying the realization of any savings that this move was to generate for National Defence.

    At the time of our May report, National Defence was in the process of assessing possible weaknesses caused by the lack of security during construction. The department was also determining the steps it needed to take to insure that the building was secure for NORAD and other base operations.

    In chapter one of our October 2007 report, on “Safeguarding Government Information and Assets in Contracting”, we decided to follow up on the progress the department had made in insuring the security of the building. The department informed us that after investigating, it had determined that the building could be used as intended if modifications were made. These modifications were due to be made by mid-September 2007.

    I believe that National Defence has since informed this committee that modifications were made to fix construction defects and install monitoring equipment. The modifications, the details of which I understand to be classified, were intended to mitigate any potential security compromises. As our audit work was substantively completed in August 2007, we cannot comment on the actions the department has taken since then.

    The department has also indicated to this committee that the nature of threats is such that eliminating risks is likely impossible. However, the department is satisfied that its mitigation measures addressed security concerns. Nevertheless, the department has also informed the committee that it is still assessing the best way to move two systems used for NORAD operations from the underground complex into the new building. We believe that one indicator of how well security concerns have been addressed is whether all the systems that were to be moved into the building are, in fact, there. The committee may wish to ask the department when it expects to be able to relocate those systems.

    Our audit showed that many of the problems we identified may have been avoided if the government security policy had been adhered to more strictly at the beginning of construction. For example, completing a security requirements checklist might have helped the department identify security concerns before they became problems.

    In its action plan, the department has committed to putting in place an interim policy on the responsibilities and obligations of all members of the department for security requirements checklists.

    It appears that most buildings are treated as unclassified structures when construction begins. In testimony before this committee, departmental officials said that as building construction progresses, security requirements can change from those needed at a bare-ground, unclassified work site to those needed at a classified, clearance-required site. Although the purpose of the facility remains the same throughout the project, security may only be considered fully later when the department is preparing to make the building operational. The committee may want to ask the department how and when it determines the security levels of its buildings and what risks it accepts in that process.

    As well in previous testimony, there was discussion about whether the roles and responsibilities for construction security were clear between National Defence and Defence Construction Canada. In its action plan, National Defence committed to revising the memorandum of understanding it has with Defence Construction Canada and to putting a framework in place to manage industrial security on defence projects. I understand that a revised memorandum of understanding has been signed.

    The department has put together an action plan and, as you know, has shared it with the committee and with us. We believe that it represents a reasonable plan to address the concerns raised in our chapter, and we were pleased to know that the department has set for itself specific deliverables with deadlines for implementation.

    Mr. Chair, this concludes my opening remarks. We would be pleased to answer any questions.

    Thank you very much, Mrs. Fraser.

    We're now going to hear from the Deputy Minister of the Department of National Defence, Mr. Robert Fonberg.

    Mr. Chairman, members of the committee, thank you for this opportunity to speak with you today.

    First, I would like to apologize to the committee for any misunderstanding that the testimony given by representatives of the Department of National Defence in February may have caused. My intent in my letter of March 28, 2008, was to clarify that situation.

    Let me assure the committee that the Department of National Defence takes the security concerns identified by the Auditor General very seriously, and let me say that we accept without reservation the findings and recommendations of the Auditor General's October 2007 report.

    We have developed an action plan to address the problems identified by the Auditor General.

    And in consultation with the Treasury Board Secretariat, Public Works and Government Services Canada and Defence Construction Canada, we are moving ahead on its implementation.

    The committee was first provided with a copy of the action plan in March. And I believe that the committee has also received an updated copy of the plan.

    Let me briefly outline for you some of the measures that have already been taken to improve security in National Defence contracting as a result of the action plan.

    As of January 2008, we are confident that all National Defence construction contracts have a completed security requirements checklist or an attestation from the project authority that there are no security issues involved. This procedure will be formalized by 31 July, 2008, with the promulgation of a departmental directive on industrial security policy. As of next month, all contracts above $5,000—construction and otherwise—will comply with this requirement.

    As well, the action plan references a memorandum of understanding between the Department of National Defence and Defence Construction Canada specifying the roles and responsibilities of both sides when it comes to security and contracting. As the Auditor General has just mentioned, this MOU has now been signed by National Defence and Defence Construction Canada. We have a copy of it to table with the committee if you so desire.

    In addition, Mr. Chairman, as a result of the action plan, we are updating our industrial security policies and procedures to ensure that they meet or exceed those in the government security policy, which is being revised, as you know, as well as its standards and directives. We are improving security awareness and education on this issue within National Defence, and we are increasing our capacity to effectively oversee and enforce the industrial security policies and procedures that are being established.

    National Defence is also taking steps to address possible security issues associated with the 8,500 contracts let between 2002 and 2007, as identified in the Auditor General's report. We have begun a risk-based review of these contracts to determine if there may have been a compromise of classified information or assets. Our reviews are continuing and, as noted in the action plan, we expect them to be completed by 31 July, 2008.

    Finally, Mr. Chairman, I would like to speak to the concerns raised in your April 10, 2008, letter regarding the recovery of blueprints for the Canadian Joint Incident Response Unit being built in Trenton.

    Our preliminary review of this situation indicated that departmental and Treasury Board security policies were followed. A security requirement checklist was completed prior to the award of the contract for the design and construction of this facility.

    The blueprints contained no classified information and there was no requirement for contractual security provisions relating to their preparation. The facility itself is located within a restricted area of CFB Trenton, to which access is continuously controlled. The contractor and subcontractors were screened for reliability, and all others who required site access were escorted.

    All that being said, I have asked my chief of review services to conduct a detailed review of this matter, and I anticipate receiving his findings and recommendations by the end of this month.

    In conclusion, Mr. Chairman, let me again assure the committee that the Department of National Defence takes the security concerns identified by the Auditor General very seriously. The Auditor General has highlighted important concerns with respect to the department's approach to classifying construction projects. We must ensure that our assessments of threat and risk consider all security aspects of any new facility, including its future use, so that appropriate safeguards are in place from the outset.

    Senior leadership within the department are fully aware of the matters raised by the Auditor General and are committed to rectifying these matters, as noted in our action plan.

    I certainly regret any misunderstanding caused by the department's previous testimony and hope that my letter, and comments today, have clarified any discrepancies.

    I'd like to thank the committee for the opportunity to personally address this issue today. I would welcome any questions you may have.

    Thank you.

    Thank you, Mr. Fonberg.

    We're now going to hear from Mr. Ross Nicholls, the president and chief executive officer of Defence Construction Canada.

    Mr. Chairman, honourable members, I am pleased to appear before you again. At the last Public Accounts Committee meeting I explained DCC's role as contracting authority for DND infrastructure projects and how DCC is accountable for taking the measures necessary to protect the sensitive information and assets identified by the department.

    Since the April meeting of the committee, DCC has made excellent progress on its action plan to address the observations and recommendations of the Auditor General in her October 2007 report. Specifically, DCC has collaborated with DND in the review of security requirements for projects completed during the Auditor General's exercise and for all active contracts. As noted, DCC and DND have signed a revised memorandum of understanding that addresses our respective roles and responsibilities for the management of industrial security, and we've established a framework for the innovative management of security, as recommended by the Auditor General.

    DCC has developed and implemented a comprehensive security policy covering all aspects of contracting, contract management, and the internal operations of the corporation. DCC has established a security management organization and has appointed corporate, regional, and site security officers. All of these officers have received security training, and all remaining Defence Construction employees will receive security awareness training within the next few weeks.

    Threat and risk assessments for all DCC offices will be carried out by an independent agency in mid-June. These assessments address the physical security of offices.

    In short, Defence Construction has made concerted efforts since the Auditor General tabled her report. I'm in a position to say that Defence Construction is managing the security requirements identified by DND in accordance with sound risk management practice and in compliance with the government security policy.

    I'm of course prepared to answer any questions the committee may have.

    Thank you very much, Mr. Nicholls.

    We're now going to start the first round of seven minutes each.

    Mr. Hubbard, you are first. You have seven minutes.

    Thank you, Mr. Chair.

    Welcome. This morning we have a roomful of witnesses.

    If you get down to the very basic question here, this was new construction being done in North Bay, and with it we have certain regulations called the government security policy. The Auditor General's report would indicate that there were problems in supervision with regard to that policy.

    First of all, then, does the military recognize that policy, and do they try to adhere to it when they're doing construction at various sites?

     Sir, they absolutely do. Security is a command responsibility. From the Chief of Defence Staff all the way down, commanders are seized of the importance of security. I would say that we have to inculcate a culture of security within the Canadian Forces and indeed with the Department of National Defence.

    When this contract is being prepared, there are architects, and there are eventually contractors and so forth. I don't want a person's name, but who within the defence department, in rank, would be in charge of the oversight for that general security policy? Was there a designated officer who was working with the North Bay site?

    Mr. Chair, if I may, could I ask for clarification on the question?

    Are you asking, sir, whether there--

    I would assume that within the ranks of the military there would be some person responsible for the preparation and the construction of that site at North Bay. We have to remember it's not only a Canadian armed forces site, but also a NORAD site that's jointly used by us and by our allies. Who, by rank or by position, was responsible for the security from the beginning to the end of construction at North Bay?

    I see you looking at one another. There must be somebody. I hope they're at the table. There must be somebody who, by rank or position, was responsible.

    Keep in mind that the project began in December 1995. A project manager would be responsible for this project.

    Can you give us his name, or his rank or position?

    I do not have his name. This site began, in terms of developing the statement of requirement, in December of 1995.

    You can get back to us, sir, if you don't have the information at your disposal.

    We'd be happy to get back to you with that detailed information.

    Do you agree that the Auditor General's report reflected a very poor management on behalf of DND?

    I believe the Auditor General's report is very accurate on the lack of judgment by people in handling this case. Again, it speaks to the culture, where people did not understood the importance of security, especially in a facility of this importance to the security of Canada and our relationship with our American partners.

    So you would contend that before 9/11 there were not the same concerns for security that there have been since then.

     I was not in the department as part of this project. But we have to keep in mind the very different culture in the 1990s, the changes that occurred with 9/11, and then the significant changes in the culture of understanding the importance of security thereafter.

    You referred back to the 1995 period. After 2001, who would have been responsible for the security of this project after 9/11?

    The security of the project when it began came under the auspices of the Chief of the Air Staff in the First Canadian Air Division. The commander of the First Canadian Air Division appointed a project manager on his staff to oversee this project with the commander in 22 Wing, which is North Bay, supported by the offices of the assistant deputy minister of infrastructure and environment.

    We have to be concerned by what we hear, but we also had another incident here dealing with the Trenton building. Apparently the blueprints for some of it were found lying on the streets here in Ottawa. In fact, one was recovered and others are simply missing. The contractor who was doing the architectural work on this--I don't want to mention his name--said he didn't think the blueprints were very important.

    The Trenton operation will be the centre for our C-17s, which will be responsible for the movement of equipment, troops, and so forth across the country. It's very important that be on a ready system. How can we express the fact that the person responsible for the architectural work said he didn't think they were very relevant, and we could throw them in the garbage when we wanted?

    Do you agree with what that architectural group said about the preparation of a very important military site? Apparently it can be found on the streets of Ottawa if somebody kicks the garbage around. How could that have happened?

    The Trenton project and the development of the blueprints went through the appropriate kind of security requirements checklist. Those blueprints were deemed to be unclassified. Treasury Board, under the government security policy, now recognizes that there are no document-handling requirements for unclassified blueprints. The story is not much more complicated than that.

     I would simply say the allegations that there were other copies of the blueprints remain, I believe, unfounded. Whoever found the original blueprints apparently argued that there were other tubes in the same place. It was not confirmed, as far as I know, that there actually were copies of the blueprints in those tubes.

    Thank you, Mr. Fonberg.

    Thank you, Mr. Hubbard.

    Monsieur Nadeau.

    Thank you, Mr. Chairman.

    First off, does National Defence know how these blueprints ended up in the place where they were found?

    Do we know...?

    Do you know how these blueprints ended up where they were found?

    No, we do not know how they ended up there.

    Were you informed, at any point, that these blueprints had disappeared?

    No, we were not informed that the blueprints had disappeared, Mr. Chairman.

    Are there any security guidelines regarding blueprints for military buildings considered significant from the security standpoint?

    Yes, absolutely.

    If so, can you tell me where the flaw occurred that led to these blueprints disappearing and being found in another city?

    There was no flaw in the process. The process required us to look at whether or not those blueprints should have been classified. A determination was made that they did not have to be classified, the contractors would not require access to classified information, or access to classified areas. A reliability check was done on the contractor. But the documents themselves were not classified, and there is no overall government provision for the handling of non-classified documents.

    So as much as we may not have liked to have seen them thrown in the garbage, that was not outside the bounds of what they were allowed to do with those blueprints.

    You said you would have preferred not to have seen this situation occur, and I understand why you'd say that.

    At this point is there any way to prevent this type of situation from occurring?

    Is there some way of avoiding this in place? I'd have to look at my departmental security officer. I do not believe we have moved to change the provisions that are there. We are awaiting Treasury Board guidance in the rewriting of the government security policy around the issue of whether there will be special handling provisions for unclassified blueprints associated with government buildings.

    Let me turn to my departmental security officer for further elaboration.

    DM, that's correct--

    Just a minute. You are telling me that this type of situation could recur at any point.

     I think shortly after the discovery of the Trenton blueprints somebody managed to find some blueprints for another government department's buildings, which were also unclassified, in a similar situation. So could it recur for unclassified documents? Unless we have put certain provisions into the contract for the handling of unclassified documents, it would be above and beyond the provisions in the government security policy. Yes sir, Mr. Chairman, it could happen again.

    The deputy minister's comments are correct. My understanding is that both Treasury Board and the ADM security committee are looking at this particular issue on unclassified documents and looking at different caveats that can be placed on unclassified documents. Obviously PWGSC has to be very involved in this, because classifying these documents changes the whole contracting process and restricts the fairness and competitiveness of government contracts. So Treasury Board, PWGSC, with input from all departments, are currently looking at that right now.

    Madam Auditor General, in light of what we've just heard, are you aware of similar situations occurring elsewhere within National Defence? Are you aware of this type of thing?

    Mr. Chairman, we did not assess that issue. As I mentioned in my opening statement, we believe the Department of National Defence should review the way in which it classifies buildings. Oftentimes, the department will begin construction on a building and determine its classification without necessarily considering future use. Buildings are built first and not classified. Depending on its future use, there could be a change to the classification. We believe that under certain circumstances, it would be wise to review a building's classification earlier on and take into consideration its future use.

    What lessons should we draw from this situation from a security standpoint? Mr. Nicholls and others have mentioned a security culture. Does the Department of National Defence have some difficulty in classifying its military buildings for security purposes? Would you yourselves be in a position to know whether important documents referring to these buildings should have been classified? Is there a process in place or are you simply waiting for someone else to tell you?

    Mr. Chairman, let me just repeat that there was no breach of government security policy or national security policy in the handling of these documents. The project itself went through a security requirements checklist. It was not deemed necessary to classify the actual blueprints. So the handling of the blueprints happened according to existing policy. It was unfortunate that they ended up where they ended up, but there was no actual breach of any particular policy.

    Mr. Chairman, I'm skeptical because we are unaware of when these blueprints disappeared and how they ended up where they were found. Well, we're being told that everything is fine insofar as there was no breach in the security process. I know someone discovered the Diefenbunker was going to be built because a pilot who was flying over a field could see where several washrooms were going to be built, who knows where. That was another era, and yet it seems as though things have not changed.

    I find your comments very irresponsible. And I have received no response from you. Perhaps Mr. Nicholls can answer. What are you going to do to improve the situation? Is it a matter of waiting for a Treasury Board document?

    Thank you, Mr. Nadeau.

    Go ahead, sir.

    First of all, we have tabled an action plan. I believe we have a revised action plan to actually table. The action plan itself is based on all the recommendations the Auditor General herself put forward in her report. Basically, there are four points to that action plan.

    Just before I get back to them, I would like to say that the reality, which the Auditor General has recognized, is that the way most of our buildings work their way through the classification process is that, first, a function for the building is actually determined. Then there is a process by which the space is actually designed. Those spaces--the walls, the floors, the wiring, the plumbing--basically determine the scope of the project. The project itself may be broken into a number of contracts to put up what we have, in the past, considered unclassified. There would be another contract to fit up what may be classified inside the building should there be a need for any special kind of treatment, any special communications, or any special equipment that's going to be handled in that building.

    Typically, in a situation in which we have a building that has a classified part to it, for the reasons the DSO noted earlier, to allow for as much competition in the bidding process as possible, we often will bid the shell unclassified, and we will bid a contract for classified work within that shell. I think what the Auditor General has pointed out is that we need to be more deliberate and more serious in the early stages of design with respect to our assessment of threats and risks for the full use of the building through its life. That is something we are currently doing.

    Basically, there is a four-point action plan. We are fixing the security requirements checklist piece of this, as the Auditor General recommended, to either require an SRCL or to have an attestation or certification that one is not required. So we now have full coverage. You need one or you don't need one, and that's actually signed off.

    We are in the process of clearly clarifying rules and responsibilities for everybody, through the contracting process, on the construction side, and more generally, on the procurement side. We will go through a deliberate process of propagating those new policies in a very clear way toward the end of July. We will make sure that they are amended as the government security policy, put out by Treasury Board, comes out. That will be after the end of July, I expect.

     We have a group of people who are working on a very deliberate sort of communication awareness education plan for those in the department who will be involved with contracting, whether for construction or otherwise.

    Thank you, Mr. Chairman.

    Thank you very much, Mr. Fonberg.

    Mr. Williams, you have seven minutes.

    Thank you very much, Mr. Chairman.

    First I have to say that I'm not exactly sure why we have such a lineup of high-priced people here with us today. We have the Auditor General and her entourage. We have the Vice-Chief of the Defence Staff with a whole entourage of military people. I thought we dealt with this issue months ago, and now they're back again. I can't understand, Mr. Chairman, what we're actually trying to achieve here by bringing all these people in for a minor concern or misunderstanding.

    Anyway, here they are, and welcome everybody. We'll have our seven minutes, if I can stretch it out that far.

     You have six minutes and ten seconds left, Mr. Williams.

    Thank you, Mr. Chairman.

    Looking at this MOU that we have been given between the Department of National Defence and Defence Construction 1951 Limited, which I think is also called Defence Construction Canada, I'm glad to see that they're taking security seriously, Mr. Chairman. There must be some things in here that we don't need to know, because we've been given the odd-numbered pages but we don't have the even-numbered pages. They must be the ones that have the classified information on them.

    The other point I wanted to examine is that the agreement is dated June 2, 2008, which happens to be yesterday. I presume it's the motivation of coming before this committee that caused this to get done.

    Am I correct, Mr. Fonberg, that getting this done was an important thing so that one could come to the committee and say we finally have this MOU?

    Mr. Chairman, we submitted a revised action plan to you and the committee last Wednesday or Thursday; I'm not actually sure of the date. At that time we identified that we expected this MOU and the framework to be signed by July 31, 2008. As we went through our work last week, we realized it was further ahead than we thought.

    I was not prepared to brief it into the action plan at that point, because the lawyers were still looking at it, and as lawyers look at them, things can get somewhat off track. As it turns out, some work was done between the assistant deputy minister of infrastructure and environment and Mr. Ross Nicholls over the course of the weekend. We managed to get it done. I thought it was good for the committee to have it done, and frankly it was good for us to have it done before July 31, 2008.

    Mr. Williams is quite right. In the reproduction of this, every second page is missing. We will get the entire copy of the contract and will distribute it to the committee members.

    You're sure it's not classified, are you?

    I'm pretty sure it's not classified.

    That's good.

    In taking a look at the document I have here, the DCC Security Action Plan, I think, Mr. Chairman, if I recall correctly, that at the last meeting we were unaware—or I was unaware—that there actually was an MOU between Defence Construction Canada and the department and believed they had been operating for 40 to 50 years on a fairly informal arrangement. But I see that this new MOU replaces a previous one, dated May 18, 2001, that actually predates the 9/11 catastrophe in New York. I would have thought, given the whole new security awareness that event caused, that we would review our security in the building of infrastructure before this time.

    Do you have any comment on why an old agreement that predates 9/11 was the MOU that was still being used?

    Lieutenant General, do you have any comment?

    Mr. Chair, I believe we absolutely should have taken the time to have this done a lot earlier, shortly after the event.

    Thank you very much.

    I'm not sure I have any further questions. If any of my colleagues have questions, Mr. Chairman, I'll leave the floor to them. As I said, I'm not exactly sure what we can achieve today.

    Let me ask one question of the Auditor General. Are you satisfied that progress is being made by the Department of National Defence on this report?

    Mr. Chair, we have looked at the action plans of both Defence Construction and the department. We believe they address the issues we raised in our audits.

    As I always say, we are cautiously optimistic that they will be put into place. Obviously, some of the deadlines are out further, and we haven't gone back to actually check that everything will be done, but it looks very promising.

    There are two minutes left in that slot.

    Mr. Fitzpatrick.

    If I understand things correctly, the blueprints for the building were not deemed to be classified. I'm not an expert in this, but it seems to me that the attack on September 11 by al-Qaeda was based on a good deal of knowledge about the design and structure of the towers and the effect of a plane crashing into those buildings: the pancaking effect on the building and so on.

    It would seem to me—I don't want to sound like a Maxwell Smart or somebody—that if you're designing something for NORAD, it would be highly critical that the building be free of any risk from terrorists attacks, or that you would attempt to minimize the risk. To have blueprints out in the public domain would just be an invitation for these people to know what the design vulnerabilities of these buildings are.

    Am I missing something here, or can you satisfy me on this point? It seems to me rather odd or strange that blueprints would not be classified information.

    Mr. Chairman, I assume we're referring to North Bay, not to the Trenton blueprints.

    I assume if they're not classified, they're out in the public domain and people can look at those blueprints.

    In the case of North Bay, I would like to be able to satisfy the member, Mr. Chairman, but he, I think, has pretty much stated the reality.

    Those blueprints were not classified. In retrospect, if we had to do it again, we would probably be a little bit more deliberate, certainly through the application of a security requirements checklist, and may very well have come up with a different classification for those plans.

    Is part of the reason for maybe not being strong on classifying this is because you have to line up a contractor and you have to line up skilled labour to build this? We're in a tight labour market in this country and it's hard to get good contractors since they have lots of work to do, so you'd be really limiting the pool if you classified the blueprints. Would that be one of the difficulties?

    Well, whenever blueprints are classified, the available number of contractors is smaller by a significant margin because of the required security clearances. I don't know, I'd have to go back to those who were there at the time to understand exactly why. I don't know that that was the major reason, but there is no question--and Scott or the DSO may want to speak to this--that we missed the classification of those blueprints.

     Dave, I don't know if you want to talk to your sense of the record there.

    Again, not being there at the time, my expectation would be that the project authority would assess the threat and the risk, including the vulnerability of the building or what sort of documents we're talking about, and in this case it was only a 50% solution of the bare building. They would look at the vulnerabilities, the probability of there being some sort of compromise or threat, and the consequence of that. They would make that assessment and come to the conclusion that in this case those basic plans would be unclassified. And that's the decision that was made for those particular blueprints.

    With the advantage of hindsight, Mr. Chairman, I think the bottom line is this: I think the Auditor General reported that if we had that decision to take again, we would have done a security requirements checklist on that project and those blueprints likely would have been classified. Did we make a mistake? Yes.

    Thank you, Mr. Fitzpatrick.

    Mr. Christopherson, seven minutes.

    Thank you very much, Chair.

     I want to make a note of what you just said and I'm going to come back to that.

    Let's put a focus to this. Mr. Williams is trying to suggest that this is only a gathering of folks with no real purpose. The fact is that we did deal with this once in a chapter review. We found serious problems. The Auditor General--I want to remind everybody--on February 26 of this year said in her opening remarks:

    And on the same day, Mr. Scott Stevenson, the acting ADM at the time, said:

    We had our meeting and we had not yet met to write our report. In the interim, along come these headlines showing that these plans are in the garbage. We've brought you back here to find out where we are on this issue. Is it closer to the opening comments that the Auditor General made, that things are serious and there are weaknesses and this is another example of that? Or are the comments that everything is fine true, and we don't need to worry about anything? Or were we given nice little assurances, patted on the head, and the reality is that we still have continuing weaknesses? Hence the hearing to find out which of those two applications would apply vis-à-vis these blueprints being found in the garbage; let's understand this.

     I understand the point being made that they weren't classified as...is “secure” the correct term?

    Classified.

    Okay, classified documents.

    So we have two questions. First, were all the procedures and policies followed? I've just heard, no, there were mistakes made--

    Just as clarification, my comment was with respect to North Bay.

    That's too bad. I was hoping you were going to tell us that this was the problem.

    I apologize. I should be clear that in this context our investigation immediately, as soon as this became apparent through the newspapers, showed no breach of any policy.

    Assuming that's the case--I'll just jump ahead a bit--I was a little disappointed to hear you say, sir, that you have a review going on and the recommendations and findings will be available at the end of this month. That is convenient in that we would have already met.

    Was there any attempt, on your part, to call the clerk's department and say, “I have an internal review. You might want to hold off on your hearing until you get that review”? I'll give you a chance to comment on that. I found that it looks a bit strange that this well-publicized meeting is going to happen before the internal review is done, and there didn't seem to be any attempt to try to coordinate those things--the things at hand, the blueprints.

    The other question is, should they have been labelled classified? Even if you followed all the procedures and ticked off all the boxes, that doesn't make the world okay. It's only a human-created piece of paper with human-created little boxes that may have got checked off, but at the end of the day maybe that procedure needs to change. Maybe that's where we are. Maybe that's what we'll find out from today. Your internal procedures were okay in terms of the boxes being ticked off, but we need to generate a whole new checklist and we need other boxes to be ticked off maybe in a more timely fashion.

    But I have a real problem accepting that it's okay and it's not a big deal that blueprints for the new Canadian Joint Incident Response Unit in Trenton were found in the garbage. Let me get this straight. This unit is going to be the military's main responder to chemical, biological, and radioactive threats. That's what this centre is for. The design plans show, as far as we know, the electrical grid scheme for the unit's computers and details about sewer systems, areas for workshops, seed container loading docks, and offices for the unit's various troops. There is also a blueprint for the storage bay for the unit's robots, which are designed to detect chemical and biological agents. Never mind the checklist.

    Somebody here please tell me, in a layperson's way, how that is not a security risk at some point. I'm a layperson. Explain to me how blueprints that show that kind of detail about the building are not a risk that you shouldn't take.

    Mr. Chairman, first of all, on the issue of the review that is being done by the chief of review services--an error perhaps of omission that we did not inform the clerk, certainly not an error of commission--the timing of that review was always intended. I don't remember exactly the date the blueprints were found. I asked for the review to be done shortly after that, long before the timing of this hearing would have been set up. So I apologize for not having thought through the idea of informing the clerk that perhaps we wanted to wait.

    We'll certainly make the results of that review to the extent there's nothing classified. I expect there will be nothing classified in that review. The report will be available to the committee as soon as it is available.

    On the member's other question, Mr. Chairman, on the nature of the blueprints, I would turn it over either to Colonel Mike Day, who will be the owner of this building shortly, or put it back to the DSO. I am not unsympathetic to the questions the member is raising. All I am telling you is that we followed a process—process is not unimportant—established under the government security policy. Through our own departmental security policy we did a security requirements checklist on this project, and we came to the conclusion that the blueprints did not need to be classified.

    I would just say, by way of closing, and then turn it over, that as it turns out, the electricals on those blueprints, as I understand them, were about 50% aligned or correlated with the final electricals within the building.

    I'll turn to my colleagues for any comments they may want to make on the actual intention.

    Mr. Chairman, thank you.

    With regard to the blueprints and to the actual questions, I reiterate that the process that was followed did identify, as was discussed, all the checks in the box. Subsequent to both the Auditor General's findings and the complete acceptance of all those, a subsequent review was done with the security checklist being examined. That resulted in the decision that the actual shell of the building was not to be classified at that time. Subsequent to the blueprints being found in the garbage, that process has once again been revised, and certainly in hindsight, as the deputy minister has mentioned, we will relook at those criteria in order to determine if additional checks need to be considered.

    With regard to the actual threat itself, we take that business, as the Vice Chief of the Defence Staff has said, very seriously. We go through a continuous review to determine whether or not we have risk or exposure to a variety of different threats and that isn't a one-time deal. As a result of this incident--I believe the blueprints were found on March 13--we immediately initiated an internal review of those security measures, not only of the building on site but the unit itself, to determine if there were any present threats that were identified. There have been none at the moment, which doesn't mean to say that abdicates our responsibilities. Rather, we subsequently looked at the renewed process and whether or not we would come to a different conclusion as those processes get changed. I believe, as the deputy minister said, we would likely come to a different conclusion.

    What we have done in the interim is look at what we can do to mitigate that risk. I am satisfied that both internally, in my command within the CF, and in the department we have taken all reasonable precautions to ensure that any subsequent threat is of a reasonable nature and that we will be able to continually implement those improvements, as well as continue to review the threats and risks that we face.

    Thank you very much, Colonel Day.

    We're going to go to Mr. Holland for seven minutes.

    Thank you, Mr. Chair.

    I want to start with the scope of this. If you take the NORAD facility as an example, this is a major breach. You said this was a mistake. The problem is that it isn't just a security issue; it's also an issue in terms of the trust and support that we have with our allies and NORAD. When they're turning to us to work with them, if things that should have been classified....

     You're saying that, in retrospect, this was an error and it should have been classified. I find it hard to believe that when we're dealing with a NORAD facility there would have been any other conclusion other than it should be classified. That hurts us. It hurts us not just in terms of a security risk, but also in terms of working with our NORAD partners.

     I'm confused now because the comments of Colonel Day seem to indicate that there was a mistake in the classification of the facility, the Canadian Joint Incident Response Unit in Trenton, and that should have perhaps been classified.

    There was a definitive statement that the NORAD incident was a mistake. Perhaps in the incident where this was thrown in the garbage, the Canadian Joint Incident Response Unit blueprints should have been classified. But in the Auditor General's audit, we found that 99% of the security requirements checklists were not completed, were not done.

    So it's not as if this is a one off. If we start with 99% not being done, should there not be an assessment being done in all of those instances, before contracts are awarded, especially if it's for something like a NORAD facility? But in general, is that not something that should be done? Is there a commitment to take us from 99% to zero?

    Mr. Chairman, on the issue of U.S. confidence, the U.S. is, as I understand it, very comfortable with the state of that building and its actual use. They have sent their own teams to have a look at that building. So they are now very comfortable.

    The only thing I would say in response to the member's question or concern around U.S. confidence is that, as I think the relationship has shown over and over again, confidence comes from recognizing any errors we might have around these kinds of things and fixing them quickly, fixing them in a way that actually works for both parties. I believe that actually has been done in the context of the North Bay facility, just from the perspective of U.S. confidence.

    On the issue of the JIRU building and whether we made a mistake, I think I would actually like to correct the record, or at least address the comment. I'm not sure the colonel said that we made a mistake. I think the colonel said that if we were to look at it again, if we were to look at the threat and risk assessments around this, would we have done this differently? And I think the answer is, yes, maybe we would have done it differently. So I'm not sure that I heard the colonel--but I stand to be corrected--definitively say that we would have done it differently.

    On the issue of 99% and moving that down, we now have in the department, essentially operationally formally required next month, every project over $5,000 either requiring a security requirements checklist or certification--as proposed by the Auditor General--that there are no security issues.

    Maybe it's splitting hairs, but when you say in retrospect you would have done something differently and maybe it was not handled properly, whether or not you want to call that an error or whatever, my point remains.

    My concern , and I want to hear a little more clearly, is what you're doing with respect to the classification of buildings, and secondly, how you're going to handle documents at various security clearance levels.

    I don't accept, and I hope you don't accept, that blueprints being found in the garbage or being abandoned in some way that somebody else can pick up is acceptable, particularly if we say that maybe in retrospect those blueprints should have been classified.

    Is there a policy, or are you looking at a policy, to handle documents of different security levels in such a way that this type of behaviour would be prevented? And can I ask what consequences there would be for individuals who would breach those new protocols, if established?

    Mr. Chairman, on the issue of document handling and classified documents, there is already a very clear process in place for how classified documents are to be handled, who is to have access to them, the kinds of security clearances they actually require--

    I'm sorry to interrupt, but under that system you said that there wasn't a problem with these documents being on the street. You said you had done a review of that and that it might not have been ideal but there was no problem with it under the current protocol.

    Is that something you're comfortable with? Because I'm not, I'll be honest with you. And I have a question for the auditor in terms of whether she's comfortable with that.

    Are the protocols going to be changed such that this type of behaviour is not something that would be accepted and there would be consequences for it?

    Mr. Chairman, again, let me make sure I understand the question clearly. Maybe the Auditor General understands it more clearly than I do.

    These documents were unclassified. The government security policy does not require unclassified documents to be handled in any particular way. Do I personally like the idea that these blueprints ended up in a dumpster somewhere? No. Is there a requirement, an obligation under a policy to handle them differently? No. Is it being addressed in the context of Treasury Board's review of the government security policy? Yes.

    If I have a second, maybe I could go to the auditor. Do we not need a system that demonstrates what's going to happen with documents of various security clearances? We've seen how this has really undermined public confidence in security, when these documents were found in the way in which they were and we were told that the current protocols allow for that, there are no consequences.

    Do you not feel we have to have some protocols on how we deal with these documents, lest they be found in the manner that they were? That really undermines confidence.

    Mr. Chair, as the deputy has indicated, there is quite elaborate policy and guidance to all government officials on how to deal with documents that are classified. These blueprints were not classified. They would be the same, quite frankly, as a memo pad in an office somewhere. It goes out in the garbage, and--

    We had said that maybe they should have been--

    Well, the issue comes back to the fact that under the practices of the department at that time the shells of the buildings, in most cases, would not be considered classified. It was only when they started to do the fit-up of what goes inside that they then would look at classification.

    One of the issues coming out of all this is that maybe they should be considering what is going to happen inside that building much sooner in the process--I think the department agrees with that--and what the context is around that building. In this case, I believe it was a training centre. A training centre in and of itself may not be particularly sensitive, but if you have sensitive conversations going on there, which one might think could happen in this particular location, maybe you would want to think about the security earlier.

    This is one of the issues that I think are coming out of this whole thing. The way of treating the building as a shell, as being unclassified, meaning that all the plans for that are unclassified and open to the public, to people who are contracting on it, may not be the best way of going about this and that there should be a more rigorous security consideration given to what is going to happen in those buildings earlier in the process.

    Thank you, Mr. Holland. Thank you, Ms. Fraser.

    Mr. Lake, seven minutes.

    Thank you, Mr. Chair.

    I have the same questions that my colleague Mr. Williams had regarding why we're here today. I note that in the Auditor General's statement, in paragraph 11, she says:

    We don't very often get to read paragraphs like that from the Auditor General. It's not very often that we bring people back to congratulate them on actually doing what the Auditor General recommended, so congratulations.

    I'm sure the deputy wouldn't mind if you congratulated him, though.

    Maybe we should do that more often.

    I'll just take the afterglow from the Auditor General here. Thank you, Mr. Chairman.

    Do you guys want time for a hug?

    I do want to use this as a little bit of a learning experience, though, if I could. The Auditor General was referring to this just a little bit when she states in paragraph 9

    As I read the rest of the paragraph before and just listened to the Auditor General, I had the same questions. It seems odd to me that something that would eventually be deemed classified would at some point earlier in the process be deemed unclassified, especially if it's known that eventually it's going to be an area where stricter security measures will be needed.

    Maybe you could speak to that a little bit in terms of how and when you determine the security levels of the buildings.

    Yes. I'd be happy to, Mr. Chairman.

    Actually, I will ask the departmental security officer to speak to it. Just before I do, though, I will address the question that a previous member was asking and that the Auditor General actually answered. We are attempting to address that question of the front-end look-out to the end use of the building and the life cycle of the building. We are doing that by reworking our own internal security policies—again, they'll ultimately be consistent with the government security policy—to put more emphasis on the assessment of threats and risks at the front end, which becomes the trigger or the keystone for determining whether or not we do a security requirements checklist, which ultimately determines the classification of the blueprints.

    Let me just turn to my departmental security officer for a moment to reply to the member's question around how and when buildings actually get classified.

    Very early in the process, immediately after a statement of requirements is written, the project authority would assess...and the deputy minister has mentioned that we're actually making the policy a lot clearer for project authorities. The end-of-July policy will give some better instruction on how to actually assess threat and risk. Again, as the Auditor General mentioned, that's looking at the eventual use of the building.

     I think a better way to describe this might be to give an example. The threat is fairly simple...well, not simple, but you look at a national threat and a local threat and our intelligence personnel would be able to provide us with that information. Probably a little more complicated is that the project authority has to look at the risk to personnel, information, and assets. Looking at the risk, they would look at the vulnerability of the assets and the information, the consequences of a security incident, and the probability of something happening.

    As I said, I'm going to just give a quick example using perhaps a hangar. It's quite probable that in the 30- to 35-year life of that building there will be classified discussions in the hangar. However, it would happen once in a very blue moon. So you look at the probability of somebody putting a bug into the wall, if the threat were espionage, for example. When you look at the probability of that occurring, it's very small. So you could see building the shell of a hangar for fixing airplanes being one example of where unclassified documents would be acceptable and there's an acceptable risk.

    If you look at an ops centre where there's a lot of classified discussion on a daily basis, you could see that hostile intelligence services may target a building such as that, and the probability of that happening would be a lot higher. In that case you would probably want to classify the shell of that building.

    That's just an example of how we have been looking at threat and risk. As I say, we're going to give clearer instruction to project authorities to look more in detail so that when they make that decision, right after the early stages of that contract, right after the statement of requirements is done, they make the right decision on whether or not a security requirements checklist is indicated.

    For the classified building—because I think this is the issue raised here—where in the process does it actually go from being unclassified to being classified? I think what the Auditor General is talking about here, if I'm not mistaken, is a building, the same building that at one point is unclassified and somewhere along the process becomes classified. Why would it not be classified right from the start?

    In the case of a classified building, it would be immediately. We've made mistakes, and I think we've admitted to that. But in cases such as North Bay, that building would be classified almost immediately after the statement of requirements is completed.

    So from here on in, any building that is going to be classified will be classified right from the start?

     May I try to clarify?

    The current process is build the shell. Generally, it's essentially seen to not be classified because it's a shell with some plumbing and some wiring. As the vice-chief or Colonel Day suggested, as you move into fitting up or creating classified areas within that building, those parts of the contract or those contracts become classified, require classified contractors, security-cleared contractors.

    Basically in the past we have said that there if is no required access to classified information, there is no required access to a classified area, the blueprints or the project are not classified.

    Based in large part on the reality but also on the Auditor General's observations, the change we will make is we will now build into the decision at the front end what the DSO is referring to as a much more rigorous assessment of threats and risks, which are life-cycle, end-use issues around the building to determine whether the overall building should be classified.

    Thank you.

    Thank you, Mr. Lake.

    Colleagues, that concludes the first round. We're going to go to the second round of five minutes.

    Before I go to Mr. Bélanger I just want to point out that the full copy of the memorandum of understanding made between the Department of National Defence and Defence Construction Canada has been circulated to all members in both official languages.

    Mr. Bélanger, five minutes.

    Thank you, Mr. Chairman.

    Madam Fraser, gentlemen--I see the military is still a male preserve, judging from the representation around the table--I want to continue in the line of questioning Mr. Lake brought up.

    Mr. Fonberg, could one make a presumption that most DND facilities would have some security requirement of some sort, by the very nature of the department?

    I would like to turn to my acting assistant deputy minister, Scott Stevenson, or Mr. Nicholls. My gut feeling is that the vast majority do not require security. Remember, many of these are building sidewalks, building married quarters, building barracks. But I would defer to my colleagues.

    But even then, there would be some requirements, would there not, associated with making sure personnel are secure, documentation is secure--no?

    Based overall? I would turn to either Scott or Mr. Nicholls.

    Mr. Chairman, the fraction of the total of more than 22,000 buildings in the Department of National Defence that would have those kind of security implications are the operational buildings, and that is a small fraction. I don't have the specific number, but that's the kind of information I could provide.

    The reason I'm bringing it up is that the Auditor General says in her paragraph, which Mr. Lake identified, that although the purpose of the facility remains the same throughout the project, the security may only be considered fairly later.

    I want to associate that with the letter Mr. Fonberg sent to the chair of the committee in March in which he says that, for example, approximately $515,000 was spent acquiring, installing, and calibrating special monitoring equipment to mitigate against potential security compromise. And then there's an $84,000 annual recurring cost. These costs have been borne and are continuing to be borne because the facility was not declared, at the outset, to have security requirements. Correct?

    Correct.

    Do you have a sense of the amount of money that might have been spent over the years or is still being spent on an annual basis because when we started we failed to declare a facility as having security requirements before we finished it?

    This is a public accounts committee, so we're concerned with safety but we're also concerned with public dollars, and here we have a recognition that half a million dollars could have been saved if we'd declared it initially, and $84,000 annually.

    It's a very good question, Mr. Chairman. Again, I would turn back to Scott as to whether there's any evidence that, because of a failure to run a security requirements checklist or to classify a project, we have incurred additional expenses as a result.

    Just to make sure, because security does trump here, as we say in our action plan, we have begun a review of all the 8,500 contracts the Auditor General identified in her report to understand whether there have been any breaches. If we determine there have been any breaches, it could--

    Excuse me; I have more questions, so could we--

    No, I'm just saying that it could, in that eventuality, actually result in further modifications and further costs.

    Then Trenton could be an example.

    Not as far as I know.

    So it's not declared safe, or there are no safety requirements, and that's why we have technical plans that can be picked up on Bank Street here? But at some point down the road it's not going to be declared as needing security requirements of any kind?

    If I may, Mr. Chairman, the concern here is the difference between the unclassified shell, as has been described previously, and the determination that internal to that shell there will be a classified area. That is a separate contract, a separate project, and it's in accordance with the process that Mr. Stevenson spoke to. Its implementation, regardless of whether the whole facility is classified or non-classified, does not incur greater cost. It is a stand-alone issue that has very unique and specific requirements.

    But a stand-alone issue is not stand-alone when you have a North Bay facility at $500,000, with $84,000 ongoing, because we didn't classify it at the start. And here with Trenton we have the same thing. If we had no further security classification requirements in Trenton, then I'd agree with you. Otherwise, what we have here is a policy that is driving costs upwards.

    So perhaps we want to review that. I'll just leave it at that.

    Do I have any more time?

    No, your time is up.

    I'll come back during the second round, if I may, Mr. Chairman.

    Yes. Thank you, Mr. Bélanger.

    Mr. Sweet, you have five minutes.

    Thank you, Mr. Chairman.

    I guess the Auditor General gave the nod that you should be congratulated for a good business plan and a path forward. Obviously I should congratulate you for that, Mr. Fonberg, and for taking action.

    I don't want to speak for everybody, but I think certainly one reason for some of the frustration and additional questions is that post-9/11 it still took an auditor general's investigation to really cause action to happen in this regard. It was obviously long overdue. There is that kind of feeling here. I know that there's no answer regarding that, but that's certainly the concern that I and some of the committee members have, that there should have been some mechanism so that there would have been a review and more initiative taken.

    It does concern me that, as you mentioned, you did not find out how the blueprints got there. It sounded as though you weren't really concerned about investigating that aspect, about how they arrived in the middle of Bank Street, or talking to the vendors. Did I hear that correctly?

    No. In fact, I'm not sure who would actually have the laydown on that. We actually did go back and do a thorough review of everybody in this contracting and subcontracting process who may have had access to those blueprints. As I understand it, we actually did make a number of calls trying to figure out whether in fact they had laid other tubes--are you familiar with this?--into that dumpster.

    It was not an investigation that was leading anywhere. As I understand it, but I stand to be corrected by my staff, because the blueprints were not classified it did not appear to be a terribly fruitful investigation to continue.

    It actually puzzles me that even for unclassified documents there isn't a catalogue of how many blueprints are issued...and make sure they're returned.

    You've mentioned several times, Mr. Fonberg, the Treasury Board review. Are you going to be advocating for substantially different procedures, as this review goes on, in terms of how documents are classified and handled?

    There are two different issues, Mr. Chairman. I think we are already in the process of looking internally. We will probably set a threshold that is beyond the government security policy for the actual classification of our buildings. We will strengthen the assessment of threats and risks in terms of the classification.

    With regard to the handling of documents, I actually share the member's frustration. I think we were all puzzled, in some ways, to find out after the fact—maybe some of my colleagues before the fact—that there actually were absolutely no rules for the handling of unclassified documents.

    So in my deliberations and discussions with Treasury Board, I have certainly been arguing that they need to be very clear--either that there will be or there will not be. I may have a preference, but there are implications associated with those preferences, as well.

    Specifically in the NORAD facility, we obviously have partners there. Are there any concerns in their regard? Have they addressed any concerns to us?

    Mr. Chairman, we have been very transparent with our American allies in this regard. In developing the mitigation measures, we've shared those measures with them. As was indicated in the deputy minister's letter back, they have indicated their confidence in how we're moving forward with regard to the mitigation measures on information security.

    Thank you.

    Finally, you mentioned that you're taking steps to investigate the 8,500 contracts. I don't think I'm going to have enough time, but I'd love to hear more about the detail around that. I am very glad you're doing that, in regard to Mr. Bélanger's questioning, in the sense that I hope you're also going to investigate not just where there should have been a different classification but also where there's any kind of additional expense that's been aggregate over the years—it might be a humbling process—so that we can discover exactly what that cost is. I think that will drive some of the process of change as well for the future.

    Mr. Chairman, if I may say so, the priority of that investigation of the 8,500 is really not so much to determine what should have been classified differently but to determine where there could be an exposure because they were not classified differently. So it would be to determine first and foremost whether there could be or could have been a breach in the handling of classified information as a result of not having done an SRCL. In that process, we will obviously develop a view of whether there are any projects that need to be modified, and develop a sense of whether there are actual costs associated with that.

    Thank you, Mr. Sweet.

    Mr. Laforest, you have five minutes.

    Mr. Chairman, I will share my time with my colleague.

    Mr. Fonberg, Ms. Fraser appeared before the committee in February, after tabling her report. In this report, she states:

    When she was asked if she could exclude the possibility that security had been compromised, she answered: “In our opinion, there is a risk that security was breached.”

    How can an organization committed to defending and protecting the public get caught by... How is it possible that an audit from the Auditor General's office was needed in order to reveal a situation that could have been dramatic? We do not know what exactly could have happened. Why do you not have sufficient internal control?

    Had there not been an audit by the Auditor General's office, could you have applied some process yourselves to analyze the situation and make sure that it never happens again? This is extremely worrying.

    The member has raised a number of issues, Mr. Chairman.

    First of all, in terms of the issue of a breach of security or handling of classified information, the purpose of our review of the 8,500 contracts that were let is to ensure, ourselves, that in fact there were no breaches. If we discover that there may have been a breach, then we will take actions to deal with that.

    I think one of the things the Auditor General's report showed--she is here, and she can speak to her report—was that there are systemic issues around this, that the government security policy itself, Treasury Board policy, was less than perfectly clear, Mr. Chairman, which led to different interpretations for those who actually were trying to manage projects, particularly construction projects. My understanding is that her recommendations to us, to the RCMP, to Public Works, and to Treasury Board will bring coherence and alignment, so that the challenges we actually experienced, which the Auditor General pointed out in her report, do not occur again.

    Mr. Chairman, perhaps I can add a bit more with regard to our internal regulation and looking at the seriousness of this issue. Going back to 2005, the initial indications from the people in North Bay that there were difficulties on that base, reported through their chain of command to 1 Canadian Air Division, which asked for the services of the Canadian Forces national counter-intelligence unit to launch an investigation as to what occurred in this regard, they are looking at, again, the kinds of security issues and risks that the departmental security officer mentioned, looking at that whole thing, because again, leadership takes this very seriously. If there were indeed any kind of disciplinary action required, automatically it would go across to the Canadian Forces national investigation service in that regard.

    So those investigations were launched. In addition to that, the military police launched an administrative review on how this situation could have percolated to that point.

    Following the conclusions of those, and again, given the context that the deputy minister just mentioned—these policies that were not sufficiently specific because they had not been updated after 9/11, as we've described earlier—that provided the context. So having done an administrative review, a national counter-intelligence review, a national investigative service review, we then launched our own chief of review services to have a look at this, in the fall of 2006, with their director of sensitive evaluations and investigations, so another review of the situation, and then based upon the technical valuations of what was occurring, going into the mitigation measures.

    That is just to say that these processes happen in parallel and are complementary to each other to ensure that the action plan is as comprehensive as we can make it to ensure for the security, and indeed the credibility, of this facility as we move forward.

    Merci, monsieur Laforest.

    Mr. Fitzpatrick, for five minutes.

    I have found this session educational. Maybe it wasn't really necessary, but I found it educational. I'm not an expert in this area. I'm reassured by the testimony I've heard today, Deputy Minister and Lieutenant Colonel Shuster, and by the answers I've heard from you folks today.

    I also want to thank, of course, the Auditor General and her staff, because she is sort of the catalyst for all the changes that have taken place here. Without her report, maybe we wouldn't have this good report card we're getting today.

    I do want to pursue one area. I anticipate that there may be people in the public or members of Parliament who assume that the simple solution in the defence department is to just classify everything as “classified”. But as I said, this has been educational to me.

    If an entire building such as the Trenton facility were a classified facility, I'm assuming that the contractor, the subcontractor, the architect, the engineers, the tradespeople, the workers on it, the key suppliers, and key service providers to the whole project would all have to go through some fairly stringent clearances. Is that correct, Mr. Fonberg?

    It is correct that they would have to have a reliability status or they would have to have something beyond a reliability status, an actual security clearance. The lowest level of classification for contractors is reliability status, essentially a police investigation and criminal check.

    There has to be some caution before people go ahead and just classify everything as “classified”. I would imagine that for a full classified facility the price tag would be significantly higher than just a regular construction project.

    I think that's fair to say.

    So we have to manage that.

    Another issue is that if we got more stringent on classifying everything for security purposes, it would seem to me that, really, there are a lot of high-quality contractors in Canada today who have more than their share of work lined up. They can pick and choose their work. The danger, I think, if you went too far this way is that a lot of the high-quality contractors might say, “Thanks but no thanks; we have lots of other work to do and we're just not interested in this sort of project.” Is that a concern?

     I was at Cold Lake last week in northern Alberta, and they can't get contractors to work on unclassified projects up there because the market is so tight. We know that labour markets right around the country are very tight, so even before you get into the classified business, they can't get guys to work on unclassified stuff at the rates we're offering up there.

    So that's a reality we also have to focus on. As a member of Parliament, I need to have some regard for taxpayers in the country too. We don't live in an ideal world, and you have competing interests. You have to find some middle ground in some of these things. I know that everybody would like perfect security, but I don't think we're going to get that in this world. Part of living is risk.

    Thank you very much. Those were my questions.

    Thank you, Mr. Fitzpatrick.

    Mr. Christopherson.

    Thank you very much, Chair.

    I think we are actually getting to the bottom of the great National Defence blueprint blunder. It would seem that proper procedures were followed that allowed what most of us would call highly sensitive documents to be thrown in a dumpster. Therefore, proper procedures in this case are just stupid. I don't think you would find a single person--including in your review--in Canada who wouldn't say that leaving blueprints like that lying around is not in the best interest of the security of our country and our personnel. It's that simple.

     I'm hoping and expecting that as a result of your review there'll be a change in the policy. The deputy minister has said that those documents were not outside the bounds of what the contractor can do with those blueprints. Hopefully in the future that will be outside the bounds of what a contractor can do. I think we've sussed out that much. While procedures were followed, they are woefully inadequate to provide the basic protection Canadians expect the Department of National Defence to provide.

    Having said that...and I'm comfortable that this is where we are. If it isn't, I'll be arguing that you come back here and defend a policy that didn't make the change that makes this out of bounds.

    But assuming that's where it is, Mr. Nicholls, I want to talk to you, sir. If it's currently not against procedures for these things to be thrown in the dumpster, your agency is responsible from a common-sense point of view. What is your defence for these documents--that you would be responsible for--ultimately being thrown in the dumpster? How was that okay in terms of your responsibilities, sir?

    My answer to that would be somewhat similar to what you've heard already. Where sensitive documents are identified, we apply--

     I'm sorry, sir; I don't want to be rude, but I'm really on short time.

    We have found out it isn't against security rules, but it's certainly against any kind of common-sense rules, and you're the one who's responsible for all of this development. I'd like to know what you've done and what you have to say about these blueprints being thrown in the garbage. Since it seems that it's legal and okay, that doesn't make it proper and acceptable.

    What kind of loose rules do you have around the kinds of contractors you hire or the work you do, sir? Please, we need some explanation from you now.

    I would not make any slur whatsoever against the engineers and contractors involved in this job, in that they did follow the rules that were established.

    Nobody has suggested otherwise, sir.

    However, it is standard practice in the architectural, engineering, and construction industry that when unclassified documents are to be disposed of, frankly they're put in the garbage. In this particular case they were put in a garbage receptacle. Somehow they appeared in the middle of Bank Street. I can't answer for that.

    Are you doing a review, sir? Are you looking to find out how that happened?

    No, we're--

    Pardon me; no?

    --relying on the review that's being carried out by the department to identify--

    But weren't the documents under your agency's control?

    They were under the control of the contractors we engaged.

    You engaged the contractors. And you have no role at all in determining what went wrong here?

    We have a role. I don't think it makes a lot of sense to launch an independent investigation at the same time that the department is reviewing the situation.

     That amazes me. You feel no need to do an internal review of any sort. You're just going to let a total external review happen, and you have no concerns at all.

    How did you react when you woke up the morning the article was in the newspaper, knowing it was your agency, your responsibility?

    Obviously I would have preferred not to have found out about it in the same way that others did, by reading the newspaper. However, immediately upon finding out that they weren't classified documents, we go back to the question of what the proper practice is, what the appropriate policy is.

    As the deputy has indicated, the government is looking at this. It's a very big issue for government to say that all documents that are not formally designated or classified are to be shredded, for example, to ensure that they don't fall into other hands. That includes every memo, every letter, every jotting of every government official.

    They have to look at this very carefully in order to put the correct parameters--

    Everybody is going to check all the procedures, but at the end of the day, there is absolutely no common-sense support for this. You can run around and say that it was classified, it was unclassified, it goes into this category, it goes into that category, but the bottom line is that when we have a unit that deals with that kind of security, which is being built in Canada, and the blueprints end up in the dumpster, it's not okay.

     You can hide behind all the policies in the world. The only thing I can hope for is that after everyone leaves here, we come back in a very short period of time with a whole new process that allows us, when the procedures are nicely followed, to actually get some common-sense security, because that's what this is about. It's about common sense, and not about whether something was ticked off in a box as being classified or unclassified.

    If I have any frustration here, Mr. Chair, it's that we're not getting enough people saying, “Yes, committee, we accept that this doesn't make sense. We're going to go back and do all we can to make sure it doesn't happen again.” I'm not hearing that. I'm getting a little bit of it, but mostly it's, “Well, it wasn't classified, so we can do anything we want with it.” And I have to tell you that at the level of the ordinary citizen, this is just not acceptable. We expect better from all of you here than to be in a situation in which those kinds of blueprints end up in a dumpster. That just ought not be, and it can't be again in the future.

    So please, come back to us with policies that will ensure that no one ever again has to deal with a blueprint blunder like this in the future.

    Thank you, Mr. Chair.

    Thank you, Mr. Christopherson.

    Mr. Fonberg, I believe you want to comment.

    I do just very briefly, Mr. Chairman.

    There is a common-sense element to this, but the simple reality is that in a department that deals with 20,000 contracts or something per year, you need more than common sense. You actually do need policies, and you do need procedures.

    I would not want to give the member any false hope that the outcome will be different, although, the policies and procedures will be different. We will spend more time at the front end of every project assessing its risks and threats, which is essentially how I interpret the Auditor General's concerns about the end use of the building and the life-cycle realities of what might happen in that building. But I would not want to give false hope in any way that applying that new set of policies and procedures would necessarily or absolutely lead to a different outcome on the classification of these blueprints. It would come out of a process. We have policies. We have procedures.

    If you're asking us--

    This is unbelievable.

    If you are asking us--

    I'm sorry for interrupting.

    --to simply apply common sense on 20,000 projects, I suspect we would find ourselves in some extraordinarily awkward situations.

    Thank you very much, Mr. Fonberg.

    Monsieur Bélanger, vous avez cinq minutes.

    To Mr. Fitzpatrick, the point is well taken. Not everything needs to be declared a high-security matter, and I suspect sidewalks would be one of those, although these days bugs are being put in box springs, mattresses, and so forth, so who knows?

    I check my bedroom every day.

     However, the point stands, and the Auditor General's comment is valid that when you know that a structure will be requiring additional security measures, they should implement those from the start so that you don't end up with a situation like the one we've had, in which there have been extra costs, and the plans have been found on Bank Street.

    Incidentally, I'm told that those plans are much more detailed than just the shell. They include schematics for wiring and so forth. So one would imagine that if Trenton needs some security requirements, they will have to do that, and they will incur extra costs.

    Will we know that in the review you're expecting at the end of this month, Mr. Fonberg? Will that review be shared with the committee?

    Certainly, to the extent that there's nothing classified. But the review will certainly be shareable.

    That raises two questions. First, when did that review start?

    Mr. Chairman, you sent the letter on April 10, if I recall.

    It was probably within a week of the blueprints actually being discovered, but I don't remember the date.

    Thank you. That's good enough.

    When did the review of the 8,500 contracts, let between 2002 and 2007, start?

    When did it start?

    Yes.

    We started with a sample of 100 of those contracts.

    We started after the AG's report was tabled as part of the action plan.

    It has taken us from April to the end of June to review one, and it will have taken us just a couple of months more, until the end of July, to review 8,500. I'll be curious to see, will we get to learn the results of that review of the 8,500 contracts?

    I'd have to look at those contracts. We can share the issues we've identified issues in those 8,500.

    The question, then, is to the Auditor General: do you as an agent of Parliament have the ability, once the cloak of secrecy is imposed on a project, to go and find out? Do you have that?

    Yes, we have access to all documents that we require to do our work.

    So if this committee asks you to go and verify whatever documents have been declared classified, which we can't normally see, will you do that?

    I will certainly consider doing it.

    Thank you.

    Then we'll have to wait and see what is not given to us and what is declared classified, because too often we put on the cloak of secrecy and then we're shut out. I'm very grateful that you are prepared to at least look at what we're missing.

    A final question: does anyone have a sense of how our own policies in handing out contracts and giving them security classifications compare with the policies of our allies?

    My sense is that it would be very similar. Our allies—for example, the Americans, the British—pursue many thousands of contracts every year. They do a security assessment at the beginning of each one to determine which documents or pieces of information need to be protected.

    Has that worked? Has a comparison actually been done, or are you presuming--

    No.

    So it hasn't been done. Will it be done? Is it something that either Mr. Fonberg or Defence Construction would consider useful?

    I haven't actually thought about that. It probably would be useful. We might be able to start trying to understand how our NATO allies do their business. There might be some information available there. We would certainly be prepared to have a look at it.

    Thank you.

    Thank you, Mr. Bélanger.

    Madame Faille.

    I only have one brief question. I find this whole story of lost documents found in rubbish bins embarrassing. Nevertheless, as a former manager of large projects, which I was before I became an MP, I have a reflex that makes me appreciate your current efforts to evaluate the inherent risks of the project, at the very outset. I think that you are on the right track. However, it is a unfortunate that such documents could have been lost.

    Also, regarding large projects, there is a documentation system. From my past experience with all things having to do with the banking systems or with certain suppliers through the Canadian Forces, I know that the suppliers are expected to keep very strict documentation.

    Mr. Glynn Hines, who is in charge of information management, could perhaps tell us how the major projects of National Defence are documented? Are there any practices for distributing documents, is there any requirement for treating certain documents with special care when they deal with projects? Could he also tell us about the standards for conserving documents, how long they are kept and what kind of documents are kept by the department? Were the plans that got lost in the trash can eventually recovered?

    As far as the documentation regarding projects goes, all of it is handled in accordance with the government security policy. It's either classified or it's unclassified.

    If it's classified, then it's part of documentation in support of a project. It is treated accordingly. The contractor has to have the appropriate security clearances. They're all verified and they're handled accordingly. Whether they're numbered documents and not copyable, whether the contractor has the right storage facilities on-site, whether the contractor is only accessing classified documentation or whether he is required to store it—all these issues are treated as if the contractor were a government employee with the appropriate security clearances.

     If it's unclassified documentation, it's treated as unclassified documentation and is controlled accordingly, which means there are very few controls over it.

     I have just one question for you, Mr. Fonberg. It's probably not a relevant question, but I'm curious as to the circumstances of the individual rooting through the garbage. Apparently somebody was rooting through the garbage and found this.

    What are the circumstances? Is this a common practice around Ottawa here?

    Some hon. members: Oh, oh!

    The practice of dumpster diving, Mr. Chairman? Apparently it has become a sort of full-time profession for some people.

    I don't actually mean to be humourous. I'm not sure I understood the question.

    What are the circumstances of this? Do people do this just to try to find things from the government? Have you run into it before in your career? I just find it a little odd that people would be rooting through garbage.

    I have not, but apparently—and perhaps you're aware—shortly after the discovery and then, I think a week later, the discovery of blueprints for, I believe, an Agriculture Canada building, there actually was talk that people would be doing some hiring of dumpster divers to see what else they could find.

    But no, it was new to me, Mr. Chairman.

    I have a point of order. My understanding is that these were in the garbage, on the street, out in the open, with National Defence logos and words clearly shown. This wasn't somebody doing dumpster diving. This was something that was thrown out in the garbage and left on the street. Somebody was walking by, saw it, looked at it, and that led to today.

    Let's keep this on the facts.

    It's probably not relevant anyway.

    That concludes the rounds, colleagues. I'm going to invite the auditor, Mr. Fonberg, and Mr. Nicholls to make closing remarks, if they have any.

    I'd just like to thank the committee again for their interest in this report. We are very pleased that Defence Construction Canada and the Department of National Defence are taking this seriously and have developed action plans to address the concerns raised in the audit.

    Mr. Fonberg.

    I would just say, Mr. Chairman, that as always the Auditor General's reports are illuminating and elucidating and result in not just action but I think absolutely constructive actions being taken.

    I would say that I think her report has helped to open our eyes to the front ends of these processes and the issue of end use, and to deliberation around end use at the front end of the classification process. I thank her for that and I thank the committee for its time today.

    On behalf of the committee, I want to thank you all for your comments, but before we adjourn, Mr. Williams has a point of order, I believe.

    Yes, thank you, Mr. Chairman. While we have been holding the Department of National Defence and our Canadian Forces to task and account this morning, I think it's good that we put on the record our appreciation for our Canadian Forces as they fight a very difficult situation in Afghanistan.

    We want them to know that we are behind them 100%, even though we put you on the spot today. Therefore, I would ask our Vice Chief of Defence Staff, Mr. Natynczyk, if he has any way that he can do so, to communicate to the forces in Afghanistan and elsewhere around the world who are putting their lives on line to defend Canada that we here in the Parliament of Canada support them very much.

    Thanks very much, sir. We appreciate it.

    Thank you, Mr. Williams, for those comments.

    At this point I'm going to adjourn the meeting. I want to remind members of the committee that you are invited, not for a committee meeting, but to stay around for an informal meeting in camera with the Ugandan delegation.

    The meeting is adjourned.