CSIS watchdog flagged problems with insider threats long before Ortis arrest
Experts say a wider government review is needed to stop insider threats
The watchdog for Canada's spy agency warned about "insider threats" years ago — and flagged gaps in the way top secret information is accessed — in a report that is gaining new relevance as the case against the RCMP's Cameron Ortis moves through the courts.
National security experts are now calling for a wider review of how intelligence agencies make sure their own people don't lose, or leak, sensitive materials.
Ortis, the director general of the RCMP's national intelligence co-ordination centre, faces multiple charges under the Security of Information Act. He's accused of preparing to share sensitive information with a foreign entity or terrorist organization.
Former CSIS senior strategic analyst Jessica Davis said little is known about insider threat protection because it's one of the most sensitive areas of internal security.
"But I think that it's fair to say that there should still be some concern about internal processes, specifically within the RCMP because of the [Cameron] Ortis allegations," said Davis, now president of Insight Threat Intelligence.
"Part of the problem on insider threats is that every time this happens, it's a bit of a learning curve because people have new capabilities and new techniques are developed."
The 2015 report from the Security Intelligence Review Committee (SIRC) raised concerns about safeguards against insider threats, which the report describes as "any person with authorized access who causes harm, intentionally or otherwise, to the assets of the organization."
A 'malicious internal actor'
The report specifically looked at what was being done at CSIS — but would have been written roughly around the time that Ortis is alleged to have first leaked sensitive information.
"In the aftermath of high-profile classified documents leaks such as those attributed to WikiLeaks, Edward Snowden and Sub-Lt. Jeffrey Paul Delisle, the Five Eyes community has elevated the concern posed by the 'insider threat' to a higher level," says the SIRC report.
"Intelligence agencies are paying increased attention to the insider threat in order to reduce its potential rate of occurrence and, failing that, to help limit the damage that can be caused by a malicious internal actor."
CSIS says safeguards always under review
SIRC has since been folded into the National Security and Intelligence Review Agency (NSIRA), a new watchdog body responsible for oversight of intelligence activities at CSIS, the Communications Security Establishment and the RCMP.
The SIRC review took place as Canada was dealing with the blowback from its Five Eyes intelligence-sharing allies (the United States, the United Kingdom, New Zealand and Australia) over the Delisle case. The former navy sub-lieutenant pleaded guilty back in 2012 to selling secrets about Canada and its allies to Russia after his marriage crumbled.
The report set out to examine CSIS's efforts to mitigate insider threats and looked at the access lists — records that allow CSIS to track how sensitive information is being accessed and by whom.
"SIRC found examples of a haphazard application of this process, as well as a lack of documented procedures governing the functioning and maintenance of its access lists," says the report.
The review agency also took a second look at a sample of CSIS's own internal investigations — cases running the gamut from agents misplacing classified information to suspected leaks.
The report pointed to deficiencies in the way CSIS decides when to investigate, calling those thresholds "unclear and seemingly subjective." CSIS also didn't keep proper documentation of internal investigations, said SIRC.
A spokesperson for CSIS said the agency's measures to stop insider threats are "continuously" assessed and updated when needed.
"We also advise departments on how to improve security awareness among their employees and strengthen internal controls of classified and sensitive information," said John Townsend.
"All CSIS employees undergo an intensive screening process at the time of hiring which must be renewed every five years."
Time to audit security screening: intelligence expert
The RCMP launched its own review soon after Ortis, who joined the force back in 2007, was charged back in September.
"A number of internal processes are ongoing to determine the extent of the alleged breach and, where appropriate, identify mitigation measures either at the program or organizational level," said RCMP spokesperson Catherine Fortin.
"A review of the RCMP's measures to protect sensitive information is also underway."
However, the Mounties are standing by their screening process — despite RCMP Commissioner Brenda Lucki acknowledging that Ortis was never subjected to a polygraph test.
The RCMP won't say when Ortis went through his most recent security update. Top-secret clearances go back up for review every five years.
"The RCMP has confidence in its security screening process, which involves multiple steps such as conducting education and employment verification, credit checks, criminal record checks, open-source investigations, interviews and field investigations," said Fortin.
"We also raise awareness of proper security practices and procedures to our employees on an ongoing basis."
The Ortis case is still at the pre-trial stage. Davis said it's still too early to say whether the RCMP dropped the ball in Ortis's case, but the security screening process likely deserves a review.
"Whether or not the issue was with the process at large is very difficult to say. We don't know when Ortis's last security clearance update was, how in-depth that was, what potential problems ... could have or should have been flagged there," she said.
"I think it's definitely worth looking at to see if that is as in-depth as it needs to be. Which is something that, of course, government employees aren't going to be excited to hear because it's already extremely intrusive."
Wesley Wark, a cybersecurity and intelligence professor at the University of Ottawa, said it's time for a broader investigation into how Canadians with secret and top secret security clearances are assessed.
In 2014, Ottawa introduced a Treasury Board-run program to streamline security checks, which includes deep dives into employees' backgrounds and a polygraph test.
You can't have an internal security system that is meant to deal with insider attacks rooted in a concept of trust.- Wesley Wark
"There's no perfect system of defence and you would be creating a truly noxious, internal workplace environment if you tried to create one. The idea of having 100 per cent security against insider attacks is fallacious and misguided," he said.
"But you can certainly do a lot more to make the system sensitive to the insider threat possibility and the way in which insiders are detected."
Wark said any audit should look at whether departmental security investigators — officers who work in-house to keep an eye on employees with security clearances — need more authority.
"Departmental security officers don't really have clout and prestige and reputation within their agencies to really make it work," said Wark, adding their jobs are almost as sought-after as those in the access to information office — "in other words, not at all."
"I'm sure they're very good people who take it very seriously. But it doesn't have the kind of profile it needs. That includes not just giving them real power, but giving them good people and proper resources and making sure that the whole fundamental security officers system is well integrated."
Concerns about spying on co-workers
Another aspect of the Treasury Board's security screening system is the concept of "aftercare," which calls for ongoing monitoring of "an individual's continued suitability to hold a security status or clearance."
That means watching out for changes in an employee's pattern of behaviour — such as a sudden change in financial status, or working odd hours.
Wark said implementing that kind of "aftercare" can make employees uneasy.
"People working within organizations very much fear that the true, hard implementation of aftercare will have kind of devastating morale and workplace effects, because they fear that everybody coming to work every morning will think that they're being spied on," he said. "And who wants to work well in that kind of environment?"
"You can't have an internal security system that is meant to deal with insider attacks rooted in a concept of trust. So getting away from that idea of basing a security system on trust, and moving into a security system that is very much focused on distrust and active monitoring, is a huge challenge."
Since Ortis's case is still before the courts, the NSIRA won't say whether it will look into the security screening process.
The Office of the Auditor General also won't comment on whether it might open an audit of the screening program.