The RCMP has implemented mandatory security awareness training for its employees as part of several changes following the 2019 arrest of a senior civilian member for allegedly leaking classified information. The Mounties have also introduced measures to make it easier to report security vulnerabilities, enhance the internal profile of departmental security operations, and establish a program to reduce the risk of unauthorized information disclosure. These moves were prompted by a review report released in June 2020 that called for a fundamental shift in the security culture of the national police force.
The report, which made 43 recommendations, emphasized the need for training updates, stricter adherence to federal security screening standards, and the possibility of random physical searches. The review was initiated after the arrest of Cameron Jay Ortis in September 2019. Ortis, who was the director general of the RCMP’s National Intelligence Co-ordination Centre at the time, is scheduled to face trial in an Ontario court on charges of violating the Security of Information Act, breach of trust, and a computer-related offense.
To prepare the report, the review team consulted experts across the RCMP and analyzed previous audits, evaluations, and security-incident files. It also relied on information from the investigation of Ortis, known as Project Ace, on a “need-to-know basis.” The report acknowledged that the charges against Ortis have not been proven in court but raised concerns about his ability to gain the trust of senior leaders.
The report identified various weaknesses within the RCMP’s security practices, including the lack of mandatory security awareness training and a prevailing attitude that security restrictions were obstacles to be circumvented. It also highlighted the absence of standards for managing information technology assets and inadequate controls on access to computer systems. Additionally, employees were reluctant to report security incidents due to fear of repercussions for themselves or their colleagues.
The RCMP has made progress in addressing the report’s recommendations. This includes the establishment of an online security event reporting program for employees to report incidents, threats, and vulnerabilities. Furthermore, a mandatory security awareness training course has been implemented for all RCMP members and public service employees to enhance their understanding of security responsibilities.
Other measures taken by the RCMP include ongoing internal communications and security awareness campaigns, the creation of an internal governance model for information technology security, consolidation and limitation of high-security zones with classified networks, and the elevation of departmental security to a stand-alone program within Specialized Policing Services. The creation of an insider risk program is also underway to proactively address internal security issues.
The RCMP spokesperson, Marie-Eve Breton, stated that the RCMP has confidence in its current security screening process, which involves multiple steps such as education and employment verification, credit checks, criminal record checks, interviews, and field investigations. Breton emphasized that the RCMP is committed to continuously reviewing and strengthening its security practices to protect information, assets, and employees.
These efforts come at a time when the national security community is grappling with leaks of classified information concerning allegations of foreign interference in Canadian affairs. The RCMP has launched a criminal investigation into these breaches, which include the disclosure of classified materials produced by the Canadian Security Intelligence Service.