Proceedings of the Standing Senate Committee on
Foreign Affairs and International Trade
Issue No. 57 - Evidence - Meeting of February 20, 2019
OTTAWA, Wednesday, February 20, 2019
The Standing Senate Committee on Foreign Affairs and International Trade met this day at 4:16 p.m. to study foreign relations and international trade generally.
Senator A. Raynell Andreychuk (Chair) in the chair.
[English]
The Chair: Honourable senators, we are in our new room and our new building. Welcome to the members. This is the first meeting of the Standing Senate Committee on Foreign Affairs and International Trade after our break. I see a pretty full house, and I appreciate that.
Before we turn to our witnesses and our study order, as you know Natalie Mychajlyszyn has left us on leave. I welcome a new addition to our committee, B. J. Secerski who will be assisting Pascal and Marion in our studies. I am sure you’ll get to know us and the committee members.
The steering committee has met over the break. There were some delays, which I will go into in camera. We have had some fruitful meetings on the draft report on cultural diplomacy. We are going to redraft the report in a different style. We’ll see how it goes. We’ve had good input from Senator Bovey on that.
I will be doing the foreign policy input and looking to Senator Boehm to assist me in that regard. I received rather extensive notes from Senator Massicotte that will be included and a very valuable comment from Senator Dawson on one topic area. Next week we want to have an in camera session with the full committee on that study.
Those are my opening remarks. Senator Saint-Germain, did you want to talk about that, or can we go on to the rest?
Senator Saint-Germain: We can go on.
The Chair: Thank you for being patient as we get our issues out of the way.
I call to order the meeting of the Standing Senate Committee on Foreign Affairs and International Trade on our reference. We are authorized to examine such issues as may arise from time to time relating to foreign relations and international trade generally. Under this mandate, the committee will hear today from representatives of the Office of the Auditor General about the fourth report of the fall 2018 reports to Parliament of the Auditor General entitled Physical Security at Canada’s Missions Abroad — Global Affairs Canada.
On behalf of the committee, we want to express our deep condolences on the loss of Mr. Michael Ferguson. I know there have been tributes to him in the chamber, but on behalf of this committee we wanted them to be on our record. Please pass them on to your co-workers and his family. He was a man of integrity.
In that capacity, we received a letter which I must say was the first of many where we were addressing issues that were in our domain here in foreign policy and international trade. We hope that initiative will continue. The letter that should preoccupy us as a committee was sent to us. As a result of that, you are here today as witnesses.
I would ask the senators to introduce themselves.
Senator Greene: Stephen Greene, Nova Scotia.
Senator Coyle: Mary Coyle, Nova Scotia.
Senator Ngo: Thanh Hai Ngo, Ontario.
Senator Cordy: Jane Cordy, Nova Scotia.
[Translation]
Senator Massicotte: Senator Paul Massicotte from Quebec.
[English]
Senator Dean: Tony Dean, Ontario.
Senator Bovey: Patricia Bovey, Manitoba.
[Translation]
Senator Dawson: Senator Dennis Dawson from Quebec.
Senator Saint-Germain: Senator Raymonde Saint-Germain from Quebec.
[English]
Senator Boehm: Peter Boehm, Ontario.
The Chair: I am the chair, Raynell Andreychuk, from Saskatchewan.
I will introduce our guests. As our first panel, we have from the Office of the Auditor General of Canada, Jerome Berthelette, Assistant Auditor General, and Carol McCalla, Principal. Welcome to the committee, and thank you for accepting our invitation to come today. We would like you to present your comments and be available for questions.
Mr. Berthelette, the floor is yours.
Jerome Berthelette, Assistant Auditor General, Office of the Auditor General of Canada: Thank you, Madam Chair and committee members, for your condolences. I will be sure to pass them on to our office.
Also thank you for the opportunity to discuss our fall 2018 report on Physical Security at Canada’s Missions Abroad. Joining me at the table is Carol McCalla who was responsible for the audit.
This audit examined whether Global Affairs Canada had physical security measures in place at its missions for the effective protection of its staff and assets. Physical security measures include safeguards such as fences, vehicle barriers or alarm systems to prevent unauthorized access or attempts to cause harm.
As an employer, the department is responsible for the safety and security of its staff. More than half of the mission staff members work in dangerous locations that require protective security measures.
Overall, we found that Global Affairs Canada had not kept pace with evolving security threats at its missions abroad. Over the past decade, the department received $650 million to upgrade the physical security of its higher threat missions. We found insufficient documentation to demonstrate how its physical security projects were prioritized to ensure that the most critical needs would be met.
The department had identified more than 200 security measures that were urgently needed across all its missions, but it did not yet have a plan in place for their implementation.
We found weaknesses in the security assessments conducted by Global Affairs Canada at its missions. For example, more than one-third of threat assessments were out of date, and many of the vulnerability assessments were incomplete or failed to recommend safeguards to resolve identified weaknesses.
In fact, baseline security standards that specify the safeguards needed to protect missions against direct physical attack were still under development at the time of our audit. Without these standards, Global Affairs Canada cannot comprehensively assess the measures needed for the effective protection of staff and assets across its missions.
Yet the department is responsible for the safety of its staff working at missions abroad and security upgrades to its many missions are urgently needed.
[Translation]
We examined the security measures in place at six high-risk missions and found significant security deficiencies at all six. The department has known about several of these deficiencies for years, yet it had not put in place all of the recommended measures to resolve them, such as improved video surveillance, alarms and vehicle barriers. Security officials at these missions did not know the status of the approved physical security upgrades or what interim measures were needed to mitigate the identified security risks.
Most of the department’s capital projects to upgrade security were at least three years behind schedule and were taking almost twice as long to complete as originally planned. We found that these delays were caused by weaknesses in the department’s project management and oversight. For example, construction project plans did not sufficiently assess and build into the schedule the risks unique to the host country, such as the time needed to obtain permits. Other federal entities such as Defence Construction Canada have specialized knowledge and experience in international construction projects that could help Global Affairs Canada ensure that important security upgrades are delivered on time and on budget.
Finally, we found that more than one third of the staff members working in some of the most dangerous locations had not taken mandatory security awareness training. As a result, Global Affairs Canada did not have assurance that its staff members had the appropriate level of security awareness needed for their effective protection. We made five recommendations, and Global Affairs Canada agreed with all of them.
Madam Chair, this concludes my opening remarks. We would be pleased to answer any questions the committee may have. Thank you.
[English]
The Chair: Ms. McCalla, you’re here to answer specific questions, I take it. Thank you.
[Translation]
Senator Saint-Germain: Thank you for your presentation. Global Affairs Canada was supposed to have implemented several of your office’s recommendations by December 2018, namely recommendation 4.26 regarding physical security measures and recommendation 4.53 addressing the process to identify, prioritize and approve physical security projects. Can you tell us whether, in fact, the recommended measures are now in place? I’m referring to recommendations 4.26 and 4.53.
[English]
Carol McCalla, Principal, Office of the Auditor General of Canada: We examined the physical security projects that were managed by Global Affairs at its missions abroad. The deficiencies that we observed were pertinent to its previous tranche of funding. It had received $650 million to upgrade its security. We looked at those to identify lessons learned for the next tranche of funding.
In October 2017, it received an additional $1.8 billion to upgrade its security. We looked to frame the audit findings and recommendations to inform Parliament and to inform the department of what needed to be done for its next steps.
Since it had received that funding and implemented those projects, it had made a lot of progress in how those projects were being managed recently in the last year or so. We reflected those in the report.
In terms of what type of a job it’s doing in meeting the recommendations and completing its action plan, I would suggest that would be a question you would want to ask of Global Affairs in terms of how it is going in meeting its recommendations and how its action plan is going forward. We were satisfied the action plan that it had put in place was satisfying the intent of our recommendations.
Senator Bovey: I noticed in the Auditor General’s report that you included a list of security incidents which have occurred at embassies and consulates over the past decade, but I didn’t see on that list the incident that occurred in the Canadian embassy in Cuba in 2017.
I wondered why and I wonder if you have any recommendations or thoughts about that.
Ms. McCalla: The situation in Havana, Cuba, was evolving as this audit took place. At the time we were conducting our audit work it wasn’t quite certain whether or not it fell under a physical security type of issue, and that was the focus of our audit.
We did not look at that event and did not consider that as an attack of a physical nature on the mission at the time that we did the audit. As things evolved, I think the government and Global Affairs Canada are still trying to understand the nature exactly of the threat that was posed.
Certainly there are issues related to the duty of care that Global Affairs does have to its staff posted abroad. That is relevant for our audit. We looked at how Global Affairs is fulfilling its duty of care for the safety and security of its staff posted abroad.
Senator Bovey: I’ll reserve my next question for Global Affairs.
Senator Cordy: You spoke about 200 security measures that the department had identified at its missions abroad.
Are these prioritized so that they are the emergencies that have to be done now or two years ago, and others can wait awhile? Or, were these 200 major security issues that had to be dealt with and should be dealt with immediately?
Ms. McCalla: The 200 countermeasures or security measures identified by Global Affairs across its 175 missions that needed to be done were what Global Affairs had identified as the most critical out of the over 600 that it had identified across its missions. It had assembled that list in September 2017. It had prioritized them. We had identified the ones that were high risk and critical and counted 200 of them.
Many of those are at missions in dangerous locations or in high-threat locations. What we did not necessarily see was that a plan had been put in place yet to resolve them. That’s what Global Affairs was working toward as our audit period closed and what they will be addressing with their next tranche of funding.
Senator Cordy: When Global Affairs is looking at security issues and how to them, do they work with other departments or is it just Global Affairs? Would they work with another department to ensure that it could be done quickly?
Ms. McCalla: We had examined physical security projects which were being planned and managed by Global Affairs Canada, but the opportunity does exist with them to work with other government departments.
We pointed to Defence Construction Canada, for example, which has experience in implementing a lot of security projects overseas that are usually unique and very complex and have a wide range of risks for the international environment. In a previous audit we looked at Defence Construction Canada and found that they did do a good job in managing projects.
Senator Cordy: Has Global Affairs Canada been using Defence Construction Canada?
Ms. McCalla: They had no projects during our audit period, but the opportunity does exist for them to use them. They can work with them under a special memorandum of understanding.
Senator Cordy: You made five recommendations that Global Affairs agreed with.
Ms. McCalla: Yes.
Senator Cordy: Have they started addressing any of these recommendations?
Ms. McCalla: One of them was specifically on working with Defence Construction Canada, not necessarily through a direct engagement with them but just learning from them. Defence Construction Canada has a lot of expertise that could be of benefit to Global Affairs.
After our audit closed and they provided their action plan, I haven’t been up to date on exactly where they are in their action plan. That might be a question you would want to ask them.
Senator Cordy: How often do you follow up on whether or not your recommendations are being followed or if there are new security threats? Is it every five years, every year, or every two years?
Ms. McCalla: It depends on what the department has been doing. The department itself reports to Parliament and reports publicly as well on its progress in implementing the recommendations.
We may come back in a year or two or five, depending on the timeline, to see what the success has been on that.
Senator Cordy: You can just decide that you are going to do the audit. You don’t have to be asked in by Global Affairs, do you?
Ms. McCalla: No.
Senator Dean: This is a question about some gaps in personal security training for government staff deployed to high-risk foreign assignments. I think two out of five was the number mentioned.
What is being done about that? Is it not possible to provide both basic and advanced levels of security training to people before they leave the country for their deployments? We seem to be waiting for people to get on site. Are there any reactions on that?
I mean physical security and infrastructure is one thing and personal security is another. I know from some of my foreign work that it’s the first question I ask. I imagine more seasoned people might have had the training previously.
What could be done about that gap? Is one of the options for addressing it making sure that security training is provided before deployment?
Ms. McCalla: That indeed is their model. The security training that we examined was mandatory for staff that were being deployed to their higher risk missions and was to be completed before the staff started working there.
Their policy is quite clear on that. It is the clear responsibility of their departmental security officers and heads of missions to ensure that the staff working at their missions abroad have the appropriate training. It is recognized that this training is necessary for their effective protection.
We examined whether or not they had that. We found a lack of oversight in that departmental security officers were not ensuring that staff had completed their security. We then went in to look to see what training records were available to assure ourselves whether or not staff were doing that.
The requirement is clear. We understand from our conversations with Global Affairs that they didn’t have the funding necessary. Staff may be posted and they don’t return home or to Canada to receive the training. The model was that they receive the training in Ottawa or in Kingston. They are now looking at different options for delivering that training.
In the new tranche of funding they have received dedicated funding to provide training. That should help bridge the gap there as well. Our main focus was that this is what you have identified as required, you agree this is necessary for your staff’s protection, make sure it gets done.
[Translation]
Senator Massicotte: Thank you for being here this afternoon.
As I understand it, building and security projects are coordinated here, in Ottawa. Is the work always done by local contractors?
[English]
Ms. McCalla: It can depend on the situation. Depending on the location and on the security level of the work that is being done, there could be a combination. We observed on some projects that they were managed. The Global Affairs staff from Ottawa would go and be on site for the duration or different iterations throughout the project to oversee management.
[Translation]
Senator Massicotte: They merely oversee management of the work. They don’t carry out the work. Is that correct?
[English]
Ms. McCalla: Exactly, yes.
[Translation]
Senator Massicotte: The findings speak for themselves: Things clearly aren’t being done. That’s due to a lack of organization, not human resources. Is it commitment that’s lacking? Is it a cultural problem? We are talking about major deficiencies. Do the officials in Ottawa not take the matter seriously? Why is this happening?
[English]
Ms. McCalla: We looked at the 25 physical security projects being managed globally by Global Affairs in Ottawa. We observed several reasons for delays within the control of Global Affairs.
It wasn’t necessarily related to the nature of the work being done within the local environment, but they were risks that should have been managed better by Global Affairs staff related to working in an international context.
We had identified gaps in their workforce in Ottawa. They had a very high vacancy rate within the section that manages these projects. As well, they didn’t necessarily have the software they needed to be able to track these very complex projects.
[Translation]
Senator Massicotte: Security is hugely important; people’s health, or even their lives, are at stake. How come security isn’t taken more seriously? What is causing these things to happen? I don’t see how it all comes down to skipping a few steps on the list and thinking it’s no big deal.
[English]
Ms. McCalla: The physical security upgrades which Global Affairs had identified as being necessary are indeed necessary and fundamental to the effective security of staff. They can layer on operational security measures. They can use intelligence as well. If Global Affairs does judge that the security of their staff is at risk at any time, they can take measures to close the embassy or add additional operational security measures.
The projects we looked at were identified by Global Affairs as being urgently needed and fundamental for the effective protection of their staff because physical security is your gold standard of protection for your staff.
Why were they not being implemented? We found in most cases that it was due to poor project planning and oversight. Therefore, we made recommendations for that improvement.
Senator Boehm: It’s always good to see a solid report from the Office of the Auditor General of Canada.
I wanted to make a few comments. I’ve noted that your audit is on physical security and not on operational security. My full confession: I used to be in this business. You can have the best physical security, the best fence or the best wall, if you can say that, but the person who is on guard and opening the gate is your critical person. That is part of operational security.
When Glyn Berry was killed in Kandahar, one of our diplomats in 2006, he was outside the mission. When Annemarie Desloges, one of our diplomats in Nairobi, was killed in 2013 she was outside. I would think the operational requirement is really important. That’s where some of the focus should be because the operational goes with the physical.
First, I heard what you said about project oversight, but is it possible that Global Affairs Canada was working on the operational aspects as well and that maybe some of the funds and attention were diverted to that aspect?
Second, you can have incidents at places where you don’t think you’re going to have them and where you have a greater number of Canadian staff. Think of the bombings in Paris or in London. The whole area in Paris where our new embassy is located is a maximum security zone because of terrorist incidents there.
The physical security aspect is fine but it only goes that far. The training is as important as operational security. There was a question about other government departments. In many of our larger establishments abroad there are other government departments present, including National Defence, the Canadian Forces, the RCMP and CSIS. These people have the training to know what the operational requirements and threat assessments might be.
Could you talk a bit about that?
Ms. McCalla: Yes, indeed, physical security is but one aspect. It must work in tandem with your operational security and with intelligence. All of those working together are important for your effective security.
We examined physical security only because that is fundamental. As I said, that is the gold standard of your protections. Physical security is important because a physical attack is perhaps the most fundamental type of attack. It is widely recognized. Global Affairs has identified that physical security measures in and of themselves are important for the effective protection of their staff.
We also looked at the vulnerability assessments conducted by Global Affairs. They identified both physical security and operational security measures that were needed to mitigate the risks existing at its missions. We focused on the physical security ones, but we also did not see that all of the recommended operational security measures were in place.
There needs to be an understanding at the mission level and within Global Affairs of how these measures should all operate together so that the head of the mission can be assured that staff are safe.
Senator Boehm: To follow up on that, did you also look at official residences and staff quarters, considering that staff spend a lot of time at home as well?
Ms. McCalla: We didn’t report on them in the report, but the vulnerability assessments we examined also looked at staff quarters. We didn’t report on those because our findings would essentially be the same. It’s the lack of knowledge that we saw of what exactly is required in physical and operational intelligence working together for each mission and for the staff quarters, and how you would then prioritize those across a mission network to identify where your investments are most needed.
Senator Boehm: Did you look at schools?
Ms. McCalla: No, we did not.
Senator Housakos: Would you be able to tell this committee what experience and what expertise the AG’s office has in security counter-intelligence, particularly international counterterrorism?
I would probably assume very little, so I am wondering for this particular audit if you have solicited outside consultants and advisers who worked on this file and had that experience?
Ms. McCalla: Yes, we did.
Senator Housakos: Ultimately the next question I have is: Why is the AG’s office leading an audit of a nature that has to do with security and counterterrorism rather than having expert auditors and consultants doing that and taking the lead, unless this was a fiscal audit?
Ms. McCalla: This is a performance audit where we examine whether intended investments are achieving desired results. We examined investments that were planned to upgrade the physical security at missions abroad. We engaged experts to advise us on the sufficiency of the measures. We agreed with security experts with Global Affairs as well as to whether or not a gap existed.
Senator Housakos: But the lead was taken by the AG’s office and not by the security consultants that were hired, if I understand correctly. This was your report.
Ms. McCalla: Absolutely. This is our report, yes.
Senator Housakos: What percentage of the cost of this report was sourced out to anti-terrorist experts and security experts as opposed to the actual cost of auditors?
To be quite honest with you, I find it unusual that we would be evaluating an audit of the capacity of Global Affairs on security. I can tell you this: If the Americans, the French and our allies like the Australians would be doing an audit of security capability on counterterrorism or security issues of their missions, I suspect the first place they would be going is to experts and not to a bunch of accountants.
I would like to know what role those experts play, what percentage of the cost was incurred by experts in the field of terrorism and security, and what percentage of the cost was incurred by the AG’s office.
Ms. McCalla: Our security experts that we engaged were a very small overall proportion of the total cost of this audit. The total cost of this audit, including the staff, is anywhere around $1 million. The cost of the consultants we engaged was a smaller percentage. I would say about 10 per cent of that cost.
We didn’t just engage these experts through contract. We also worked with security experts at Global Affairs both in Ottawa and at missions abroad to assure ourselves for you that these findings on physical security were accurate. Global Affairs has agreed that with the factual accuracy of this report we are fairly representing the situation of physical security at its missions abroad.
Senator Housakos: The experts engaged by you, were they on site and visited the actual facilities, or was this done at a distance?
Ms. McCalla: There is a blend. We visited six missions abroad. Two of the missions we visited ourselves. For the other four missions, as we report in here, we relied on the work that had been done by Global Affairs in its inspections and internal audits of physical security abroad.
Senator Housakos: Did the security consultant you engaged that made up 10 per cent of this total audit visit the two facilities, or did this individual visit the two facilities with you on site?
Ms. McCalla: No.
Senator Housakos: He did not or she did not or they did not.
If I understand correctly, we did a whole audit of Global Affairs security antiterrorism capabilities abroad. We spent $1 million, 10 per cent of which was actually spent on experts in the field of security and counterterrorism. You’re telling me that those experts we engaged didn’t actually do an on-site audit. That’s what I understand.
Mr. Berthelette: The office conducted a performance audit. We set up an audit objective which stated that the objective of this audit was to determine whether Global Affairs Canada met its physical security needs for the protection of staff and assets at Canadian missions. That was the objective of the audit.
We didn’t do a broad antiterrorist audit. As has been suggested, it was pretty well defined. It was about what Global Affairs does and how it manages its physical properties to make sure that they meet their duty of care to their staff to ensure that the physical location is as safe as they can make it safe in the circumstances.
We went to them and we asked them what they did and how they did it. They explained it to us. Our team went to locations to see if in fact it was done that way. They came back with their observations.
We employed or contracted a couple of security experts to help us understand some of the intricacies and details involved in ensuring the physical security of missions abroad is safe. They provided us with their expertise. In the final analysis the team sat down with Global Affairs Canada and their security experts to discuss the audit and to confirm that what was produced by the team and what was reported were accurate reflections of what was going on within the department in terms of the physical security at missions abroad.
Senator Housakos: With all due respect, I appreciate that there was an effort made to provide an accurate report. I understand the parameters were set by Global Affairs in large part.
If we’re conducting a security analysis and an audit of our missions abroad, wouldn’t you agree that it would have been useful to have independent experts from Global Affairs in the area of security that would be visiting the on-site facilities and would be taking a lead in a greater form than the AG’s office given their expertise in the area of security?
Mr. Berthelette: We set up our audits, the audit objectives, the criteria and the approach we’re going to take, to ensure that we can arrive at the conclusion required for the audit.
We make those decisions. We exercise our professional judgment. In this case the team exercised their professional judgment to carry it out the way it was carried out.
The Chair: As a follow-up, I understand performance audits from sitting on the Finance Committee. You went in and you asked Global Affairs about their security risks, the plan they were supposed to have and the money they were given. You were to determine that what they said were the risks and the plan to address the risks. You were going to see whether they were implemented.
Am I correct in that dialogue?
Mr. Berthelette: Yes, that’s correct.
The Chair: Our committee may want to talk to you about their having plans that they are trying to meet and now there were five shortcomings or areas, if I can put it that way.
We may wish to ask if the plan is sufficient but that would be calling another department or another agency. Am I reading the dialogue correctly?
Mr. Berthelette: We looked at whether they had plans in place and we noted that they actually didn’t have plans in place. Committee members might want to ask the department if they now have plans in place and where they are at in terms of following up on the five recommendations that the team put forward and the department accepted.
The Chair: That’s helpful. I took it that the plans were there and you took them, but you’re saying that they didn’t have some plans in place. I guess I read the report differently.
Mr. Berthelette: We would have expected them to have plans in place. When the team went and looked, in fact they didn’t prioritize where they were going to make the investments against the 200 security issues they found. There should have been a plan that would help them allocate the resources they had against the 200 security issues they had found.
Senator Coyle: You have groups of people around the table who have either worked inside the embassies and high commissions or who have spent a lot of time visiting them. I spent a lot of time in and out of the Canadian embassy in Afghanistan for a period and more recently I am in and out of Haiti, so I know about high-risk locations.
I am shocked, actually, at what your findings are and a bit nervous about the future. Maybe I am not getting the why. Maybe your job wasn’t to answer the question as to why the situation is the way it is. There are insufficient plans. The physical security projects are not being done to the standard or to the degree that they need to be undertaken. I am trying to grapple with the why here.
I see in your recommendations that there is a recommendation regarding strengthening project management and oversight. To me this doesn’t look like it’s just about project management. It looks like it’s on a whole other level of leadership in the area of physical security.
Could you speak to those concerns, or are those appropriate questions to be asking of you?
Ms. McCalla: We did examine the why. Upon identifying that there were gaps in physical security between what Global Affairs had identified as being necessary for the effective protection of staff and what exactly was in place, we went to ask the why.
We identified a number of reasons. One of the primary reasons is that while the security branch identifies the physical security measures needed within its missions, there’s another branch of the department that actually determines what would be funded for implementation. That branch has a number of considerations, including if that mission will continue to have a presence within that country or needs to be moved.
They may put off some upgrades. They have a number of different considerations in determining which large capital projects will be funded. Most of the physical security projects require large capital projects to be implemented.
The departmental security officer who identifies what physical security measures are needed wasn’t part of the decision makers who decided what projects would be funded and paid for. At the end of our audit we saw that Global Affairs had identified that. They have now made the departmental security officer a permanent voting member of the committee that determines what projects. We saw that as being very encouraging.
For the next tranche of funding that will be coming up, Global Affairs has set up a deputy level committee which will oversee how the projects are selected and implemented. That was what we had identified as to why these projects maybe lingered and were not necessarily given as much force or direction to be implemented.
We noted that many of the projects were delayed. They were lapsing about a quarter of the funding for their physical security projects and needed to get special permission to hold on to only a portion of that funding.
Senator Coyle: That is helpful. Perhaps I didn’t understand what Senator Massicotte was asking but I hope I did. Did you look at the relationship between Global Affairs Canada headquarters and the field in what is actually happening and needed in terms of security and making things happen on the ground? Did you look at whether that factored into some of the deficiencies you found?
Ms. McCalla: In our view both are invested. Both have the same interest in having effective security for their staff. The heads of missions are responsible for the safety of their staff. As well, their departmental security officer has the same interest in ensuring effective protection.
For us, we saw that they needed to have good information upon which to prioritize where their investments need to be and then to monitor the progress of the projects they had identified.
We had identified weaknesses in their vulnerability assessments. They were incomplete or they didn’t necessarily have recommendations on the physical security measures needed to address many of the vulnerabilities they had identified. They needed to have that good information. In September they started to come up with a list of what was needed based on the vulnerability assessments.
When they have good, solid baseline standards consistently applied across their network with good quality vulnerability assessments and threat assessments that they knew were robust and up to date, then they can prioritize where they need to be investing their money.
Senator Coyle: Is that at the headquarters level?
Ms. McCalla: Yes.
Senator Coyle: I don’t know as much as some of my colleagues, but in some of the highest risk missions our heads of mission are in and out in very short periods of time. They don’t stay for long terms in these places because they are such high-risk places. Because they are hard places to live for extended periods, they are taken out to have a little R and R.
Their actual time on the ground in some of these places is not long. I am wondering about the relationship between those people in our most vulnerable places who are themselves under significant threat and are responsible for staff who are under significant threat. There’s not a lot of time in one’s mandate to take care of that level of business along with everything else that you’re dealing with in those very complex environments such as the ones my colleagues have mentioned. Not all the high-security environments are about terrorism.
I am curious whether you saw in the cases you looked at anything to do with how we as a country could handle it better, particularly in supporting those individuals in their responsibilities as you have mentioned.
Ms. McCalla: Indeed that was part of what we observed when we did go to missions abroad. The security staff that we interviewed didn’t know in all cases what measures were required for their staff based on what the vulnerability assessments and threat assessments had said and what the status of the remedial measures were.
We made a recommendation that it was very important that it be well documented. What exactly is your current threat environment? What are your vulnerabilities? What measures need to be in place?
This needs to be well documented for every mission and perhaps signed off by the heads of mission so that when they arrive they know exactly what is required for the effective protection of their staff. Should conditions change or erode based on the intelligence they get, they can make a determination of whether their risks can still be mitigated with their security teams with consultation, or whether they need to close their missions or restrict their operations accordingly.
We called for better and improved documentation of what measures are required at each site, especially because of the rotational staff, so that it is well understood.
The Chair: In the old days, and those are my old days, you had security and you had operational. I think Senator Boehm talked about that, but increasingly it’s crisis management. You can say 50 per cent of the missions are vulnerable today, obviously, but in two weeks they may or may not be. We have new security and terrorist threats throughout the world. We also have new technologies that we hadn’t absorbed before.
When you talk about physical plans, do you find that mobility plans are part of it? How do you get people evacuated from an area? How do you get them in and out? How do you move them around? What decisions should be made? What are the alternatives? If under crisis, do you move out people to work in another country? Do you move them back and forth?
Were the plans complete enough from a terrorist point of view? Crisis management today is very different. When I was in the service it was something that was not there. We are all admitting our backgrounds. It was physical and it could be operational, but it wasn’t what I call crisis management.
We just don’t know where the threats are. Are they off hours and on hours? Are they within our embassies? Are they within the residences? Is there a broader look at security in any of their plans?
Ms. McCalla: We didn’t necessarily report on it directly. When we looked at the selection of the six missions we saw that each of them had an emergency response plan tailored to the local environment.
They had a very good understanding of what exactly was the response of the local police and what exactly was the response time of local ambulances. They knew they had different measures they could put in place in certain countries where the local response was poor. You want to have a robust response should a crisis evolve.
The Chair: You mentioned that not everyone was aware of these plans. Would the staff in the missions know about these plans, or was it restricted to security and maybe head of mission?
Ms. McCalla: We interviewed the security officers in the missions. They were very keen on knowing what their response plans were.
As members of the Auditor General’s office, we were given a security briefing as soon as we arrived. We were informed of the local threats and what our expected response would be if a threat evolved.
That was very good. The staff didn’t necessarily know about or weren’t clear on the status of the physical security and operational security measures needed because of the vulnerabilities identified in the official assessments Global Affairs had done in each of its missions.
[Translation]
Senator Saint-Germain: As you know, the committee will be meeting shortly with Global Affairs Canada officials about their response to your report. You said you had documented the processes in place and the gap between what was supposed to be done and what was actually done. You visited six of the 175 missions Canada operates in 110 countries.
Four of your sources are Treasury Board of Canada documents. First of all, do you think Treasury Board policies on real property, investment planning, financial management and the management of projects were, or are, tailored to the needs of missions abroad?
Second of all, audits usually involve some sort of benchmarking. I don’t see any recommendations based on foreign mission practices followed by countries comparable to Canada size- and risk-wise. Was that something you looked at? My understanding is that it wasn’t.
If that’s so, does it have to do with the fact that, in your view, sufficient benchmarking already exists to support Global Affairs Canada’s practices in relation to comparable diplomatic and consular missions?
[English]
Ms. McCalla: The government security policy identifies that you need to have certain plans in place. You need to have security and protection of your staff in place. The exact standards in Canada are different from what you have abroad. However, Global Affairs has the same duty of care to its staff abroad as they have to their staff in Canada. To assure yourself of that duty of care we look to see what they are doing to protect their staff against foreseeable risks.
The building codes in Canada wouldn’t necessarily be the lens you would use to look at your missions abroad. That is why you have your security experts that go to each of your missions, conduct the threat and vulnerability assessments that identify the measures needed for a specific location. That’s where we looked to see what Global Affairs had done.
Many of the missions are located in the same areas in cities. The Canadian mission is very close to the French and the U.K. missions. We heard that they talk. They work together to exchange information and intelligence. They benefit from each other’s knowledge to update their security. They know what operational measures may be needed because of an evolving threat, for example.
In terms of benchmarking, we met with other countries to discuss what they were doing to meet the same situation Canada was facing with evolving threats and how to meet them. We noted they were grappling with many similar issues.
Physical security is expensive. You need to make sure that you have properly identified your risks. With a few examples of Canada’s normal partners, Canada was on board. Different countries have different levels of standards and different risk tolerances and are exposed to different risks.
We were satisfied in Canada that Global Affairs had identified what it needed for its threat environment. Our concern was that it hadn’t taken the steps that it needed to take to properly mitigate them.
Senator Saint-Germain: Thank you.
[Translation]
Senator Massicotte: We talked about cybersecurity earlier. The relationship between the Government of Canada and all of its citizens is an intimate and respectful one. Much of that interaction involves confidential information. Did you do a cybersecurity assessment? In other words, did you measure how secure all the information held by the government is? This is information the government has been collecting for a few years now.
[English]
Ms. McCalla: We currently we do not have one planned on cybersecurity at the missions abroad.
[Translation]
Senator Massicotte: Was one done in recent years?
[English]
Ms. McCalla: I am not aware of that, no.
[Translation]
Senator Massicotte: I’m not referring only to missions abroad. I’m also talking about here in Canada.
[English]
Ms. McCalla: I am not aware that we have one planned for Canada.
[Translation]
Senator Massicotte: Don’t you think you should do one as soon as possible, given how much trust Canadians place in the government when it comes to their personal information? Top officials at Public Safety Canada met with the Standing Senate Committee on Banking, Trade and Commerce to discuss risk management. It’s important to know whether the risks are being addressed properly here, at home — whether we are at greater risk. That’s something for you to consider. Obviously, I’m not looking for a firm commitment, but it’s something I would strongly recommend.
[English]
The Chair: Perhaps you could provide that to us if one is planned, et cetera. Cybersecurity, as I define it, is no longer in Canada or out of Canada. It’s global.
If you are planning anything, could you read the transcript and send us a letter?
Mr. Berthelette: Madam Chair, I confirm that we have no audit planned yet on cybersecurity. However, our principals are in the process of developing their audit plans. Cybersecurity is a risk we have identified. We are in the process of trying to figure out when we would do such an audit and how it would be done, but we don’t have a plan at the moment to do that audit.
The Chair: If any one of us or the committee may wish to give input into that, I take it our comments would be welcome.
Mr. Berthelette: I would be pleased to receive any comments senators may have concerning cybersecurity.
The Chair: It is important that we as the Foreign Affairs Committee are concerned about our staff, our embassies, the safety and security of our materials, and our foreign affairs in a broad context.
I thank the witnesses for coming. You’ve helped us. We appreciate that we were included in and directed by letter to the appropriate part of your audit. We trust that you will continue to do so in areas that would be of concern to this committee.
As our second panel, we have government officials from Global Affairs Canada: Dan Danagher, Assistant Deputy Minister, International Platform, and Heather Jeffrey, Assistant Deputy Minister, Consular, Security and Emergency Management.
Welcome to both of you. Mr. Danagher, perhaps you could explain to me your International Platform title with Global Affairs.
Dan Danagher, Assistant Deputy Minister, International Platform, Global Affairs Canada: In a nutshell, we provide the infrastructure for all of our missions around the world. That would include the real property, all the common services, the procurement, the local engaged staffing, all of those things that missions need to be able to conduct its business and to achieve results for the country.
Heather Jeffrey, Assistant Deputy Minister, Consular, Security and Emergency Management, Global Affairs Canada: First, on behalf of Global Affairs Canada, we would like to express our deepest condolences to the family, friends and colleagues of Auditor General Michael Ferguson, and in particular our heartfelt appreciation for his commitment to public service of which this audit is a reflection.
[Translation]
We appreciate very much the opportunity to be here today to discuss the recommendations of the Office of the Auditor General’s audit on physical security at Canada’s missions abroad. We are pleased to be able to have this opportunity to provide additional context in regard to the environment in which Global Affairs Canada works overseas.
[English]
As many of you know, in order to deliver on our mandate to serve Canadians and Canadian national interests abroad, Global Affairs Canada operates missions in over 110 countries, including in some of the most challenging security contexts, for example, Afghanistan and Iraq. These higher threat environments are increasingly complex.
In other regions, new developments in the local context and emerging regional trends can see new security threats emerge in what had been previously considered benign locations.
Security environments change suddenly and significantly as a result of a wide variety of causes, including natural disasters, political instability, terrorism, armed conflict, espionage, cyberattacks, criminality, and health crises.
Every day security professionals in our organization seek to meet these challenges by employing a wide variety of tools in a rigorous and comprehensive approach in an effort to ensure that our network of missions is secure and that the people working abroad for Canadians can do so in safety.
Based on threat assessments and intelligence, security experts provide a risk-based analysis of the countermeasures that are required at missions, prioritize them, and track them to follow up either to ensure implementation or alternative mitigation measures for those issues that might require longer term solutions.
We have to continuously assess the changing risk environment and realign our resources to address new and/or emerging risks.
Should a credible threat based on the intelligence gathered result in an unacceptable risk exposure to staff and assets, we take steps to safeguard that mission and reduce our exposure. This can include enhancing physical security, as was already mentioned, with additional operational security measures such as additional guards, changes in movement protocols or footprint on the ground to reduce exposure.
[Translation]
As part of its ongoing commitment to improve physical security, Global Affairs Canada adopts best practices in the planning, prioritizing and implementation of physical security measures and the management of real property projects at its missions.
[English]
Our top priority in all these efforts is the security and safety of our staff and colleagues. In November of last year, the 2018 fall reports of the Auditor General were tabled in Parliament, including the audit on physical security at Canada’s missions abroad.
It covered the period from April 1, 2015, to May 31, 2018, and examined whether we were meeting our physical security needs at missions abroad to protect our staff and assets. The audit both highlighted the positive work we have done in making upgrades to strengthen security over the past 10 years and identified areas that could be improved on.
It should be noted that physical security examined in the audit is only one activity among a range of interlocking security measures designed to protect staff and assets. Operational security like briefings, movement protocols and guard protection offer additional layers of protection and are critical parts of the security envelope.
The audit did not look at the effectiveness of the overall security mitigation in place to protect our staff, but we’re happy to speak to that. The audit focuses on areas of improvement for the physical security components.
The audit has five recommendations that touch on specific aspects of our physical security program and the management of our real property projects. We agree fully with all of these recommendations. We are confident in the long term that they will help strengthen our physical security practices and the management of our projects.
The work recommended in the audit is already under way and in some cases has already been completed. It is all on track. In particular, this was enabled by the 2017 announcement by the government of an investment of $1.8 billion over 10 years in security funding for Global Affairs under the duty of care initiative for the very specific purpose of strengthening security measures at our embassies, high commissions and consulates.
This funding has enabled the department to make important progress in addressing a number of the issues identified in the audit recommendation, including additional resources for tracking and the provision of security training, funding for key physical security improvements, seismic enhancements and mission relocations where required, as well as a comprehensive tracking and governance system that has been implemented to ensure the continual prioritization of security requirements in response to events on the ground.
[Translation]
For example, in 2016, GAC established a new global security framework. The framework explicitly integrates risk management principles into security policy development and decision making and enables risk-based priority setting and resource allocation. The framework also provides the flexibility to adapt more quickly to the changing international security environment and to re-prioritize and address future security needs as they emerge.
[English]
In 2018, GAC created a senior oversight committee to oversee the allocation of resources to major capital projects. It includes the departmental security officer in its membership to ensure the integration of security priorities in the prioritization of our overall real property portfolio. Work is also under way to address the areas of project management that were outlined in the audit and our progress is on track.
To close, we would like to emphasize the seriousness with which Global Affairs Canada views these issues and our firm commitment to continuing to strengthen measures to ensure the safety and security of our staff.
We convey our sincere thanks to the security professionals and teams for their dedication and commitment to the critical work of ensuring the safety and security of our missions, our staff abroad and the Canadians who visit them.
Finally, we wish to thank the honourable members of this committee for your attention to this critical issue. We would be pleased to answer your questions in regard to the progress that we have been making on implementing the audit recommendations. Thank you.
Senator Housakos: Many of us have had the privilege to have travelled abroad in our capacity as parliamentarians. We have visited many missions abroad and our people who do fantastic work representing Canada. We have an obligation to make sure they’re safe at the end of the day. They’re in service to their country. I think that is essential as there are some areas of the world that are a bit tougher neighborhoods than others.
We had the accountants who essentially conducted this audit on behalf of Global Affairs come before us earlier. To be honest with you, I am a bit perplexed, and correct me if I am wrong, why Global Affairs is conducting what it seems to be more of a self-audit than an external audit. It seems the parameters for this audit used by the AG’s office were the parameters that were already in place. It was a validation of whether those parameters were being executed effectively. Of course, you recognize there are some improvements to be made.
Wouldn’t you agree that spending $1 million on bringing in fiscal accountants to do a security audit is not necessarily the most prudent thing? By their own admission in terms of the whole process, 10 per cent of the $1 million was used to hire actual security experts. They’ve admitted those security experts did not accompany or do any on-site audits themselves in terms of visiting locations.
To be honest with you, I am scratching my head and saying to myself, “Couldn’t we have spent the $1 million a bit more effectively?” It seems to me what we’ve done here is the equivalent of having Public Services and Procurement Canada calling in CSIS and the RCMP to fix the Phoenix problem. For all I know maybe that’s what we’re doing and perhaps that’s why we’re still in a quagmire with Phoenix.
Given the sensitivity of this issue, I suspected we needed to have people with expertise in counter-intelligence, counterterrorism and international terrorism. It seems to me that was not the approach in this particular instance.
Whose decision was it to bring in fiscal accountants to do a security audit and to spend 90 per cent of the budget on what are probably very capable chartered accountants but not necessarily experts in the field of anti-terrorism, counterterrorism and so on?
Ms. Jeffrey: With respect, that question is one that is best addressed to the Office of the Auditor General of Canada. They came to look at our security and real property programs and plans. They looked at how we implemented them based against those plans. It was a performance audit, as they’ve explained.
The audit scope did not include an evaluation of the appropriateness of those measures. That is a separate issue that was not looked at within the scope of the audit. Global Affairs Canada does not play a role in determining and deciding on the scope of the audit.
Senator Housakos: I guess I should have asked that question before I went on with my concerns. I guess the answer to that question is that this was not initiated by Global Affairs. This was an initiative of the Auditor General’s office.
Ms. Jeffrey: Yes, that’s the case.
Senator Housakos: Thank you for the answer and the clarification.
The Chair: As a follow-up, is there someone outside who looks at whether your plans are adequate? Is there an oversight other than perhaps this committee and other parliamentary bodies? Are there others who say, “Here is our security plan. This is what we need?”
That is not what the auditor was saying. The auditor was saying, “You said you had the plan. Have you implemented it?” Is there someone who double-checks that you have the appropriate security analysis to come to the conclusion that you need this or that physical facility change, or is it all within Global Affairs Canada and the capacities you have?
Ms. Jeffrey: I will speak to the security aspects and my colleague can speak to the property aspects.
We work extensively with a wide variety of departments within the Government of Canada in looking at our risk and threat assessments in high-threat environments within the Department of National Defence and others in terms of physical security on the ground. There is an extensive department-wide consultation process that goes into that.
We also have networks abroad with our like-minded partners. We have a security colloquium organization that brings together some of the largest foreign ministries to compare and contrast our assessments, our notes on best practices and new developments in the threat environment. Canada hosted such a meeting in October 2018.
Our accountability is to Parliament for those plans. Periodically consultants and outside advisers are brought in to advise on specific risks to different contexts.
I am not sure if I’ve answered your question fully.
The Chair: You report to the minister of the government of the day and they report to Parliament. You don’t go directly to Parliament.
Ms. Jeffrey: No, of course not.
The Chair: Unless we invite you in such as today and specifically ask you for it.
Ms. Jeffrey: Yes.
Mr. Danagher: I know your question was about external as well, but perhaps I could add that we have robust internal oversight. Other organizations external to us develop standards for some parts of our security posture. We work very closely with them to ensure parts of our security posture.
I am trying to be vague but reassure you because there are things I really don’t want to say in a public forum.
We work very closely with security experts within government but outside of Global Affairs to ensure we meet their standards.
The Chair: I am aware of the issues that should not be brought forward in this committee. My concern was more whether there was an external oversight of your plan other than through the minister to the government to Parliament.
Mr. Danagher: Right.
The Chair: Thank you.
[Translation]
Senator Saint-Germain: I have a comment. I’m very shocked that the Auditor General limited his audit to physical security because it is just one piece of the broader security picture. It’s well and good to check whether the embassy has a fence around it and whether all staff has been properly trained. Nevertheless, a mission could still hire local employees who represent a high security risk or be faced with serious cybersecurity risks.
One of the security deficiencies identified by the Auditor General was a lack of planning. Do you develop and manage your individual plans as part of a broader package? I’m referring to elements such as physical security, human safety, cybersecurity and terrorism risk. Conversely, do you address those facets separately, as broken down in the Auditor General’s report? In other words, how do you manage security in a strategic and effective way given the challenges of today?
[English]
Ms. Jeffrey: Thank you very much. This audit came at a very good time for us because we have retooled and are about to embark through the duty of care program on a new approach to assessing security.
I assure you that all the different facets of security are included within a new global security framework of a year and a half ago. It brings together all the different facets of security in evaluating and prioritizing the projects to be done, as well as the alternative mitigation to be put in place while those projects are coming to completion.
A very integrated approach brings together threat, risk, impact and probability to decide which of the measures are most important and need to be done most urgently.
At the time the Auditor General reviewed the plans, we had finished the initial stage of the duty of care project process to identify the list of 200 vulnerabilities they referred to. We have since embarked on the plan to implement those projects.
Some 40 per cent of them are already completed or have been overtaken by events on the ground in terms of no longer being required or other measures having been put in place. Some 30 per cent are being completed as minor projects this fiscal year ending in March. Another 30 per cent are part of major projects, mission relocations or rebuilds that are taking place over a multi-year plan.
For those cases, a mitigation measure needs to be put in on an interim basis. Where there is a primitive security issue that needs to be addressed, it might take two years. We put in place additional guards. We have additional arrangements with host governments. We put in place bollards or other setbacks to provide space. There are a variety of tools we can bring together.
It is important to your point that for every mission we evaluate the full suite of tools. We look first at the risk environment, our posture and the kinds of operations that need to take place on the ground. Then we look at what kinds of security protections we need within and outside the mission or at moves within the area or more broadly in the country. We look at the mitigation in place. We assess whether there is any residual risk and if that leftover risk is within tolerance of the Government of Canada, given the importance of our objectives on the ground.
There is always risk. It needs to be a reasonable risk that we’re prepared to enter into for serving the real needs of Canadians abroad. That is a decision and a devotion that our staff takes very seriously. They take on hardship posts in a variety of difficult places. They understand that the most significant risks are mitigated and that there are protocols and processes in place to protect them.
That is the broad spectrum with which we approach it. That integrated prioritization is the real new development in what we are currently doing.
[Translation]
Senator Saint-Germain: The Auditor General criticized you for not having a risk hierarchy and thus prioritizing embassies and consulates. You said you had implemented roughly 40 per cent of your physical security plan. What criteria did you use to decide on those specific projects, and what are you doing about cybersecurity?
[English]
Ms. Jeffrey: Yes, we have an elaborate set of criteria and structure for looking at the different risks. Obviously the risks to life and safety of staff are at the very top of that hierarchy.
There are risks to information and other parts of the embassy operations. They’re prioritized in terms of the severity of the threat, the probability or likelihood that the threat could come to pass in that location, and our ability to mitigate the risk in other ways. If there is an easy way to have a temporary fix that covers the risk while that project is under way, the mitigated risk might drop lower in the hierarchy. In some cases there are risks that can’t be mitigated and may be curtailing our operations.
As we saw in Haiti over the past two weeks, there were violent protests right outside our embassy gates. It wasn’t safe for Canadians to approach the embassy. The physical premise of the embassy was closed to the public, but operations continued from alternate locations. The alternate command post and consular services continued to be provided. That a real-time example of the kinds of everyday decisions being made.
Senator Saint-Germain: What about cybersecurity? Do you have internal experts? Do you outsource for cybersecurity? What are you doing in this specific area?
Ms. Jeffrey: Cybersecurity was not the focus of this audit, as the Auditor General indicated.
Senator Saint-Germain: But generally.
Ms. Jeffrey: Yes, we have internally within Global Affairs experts on cybersecurity and information technology and on cybersecurity policy internationally in terms of relations with close allies.
We work very closely with the interdepartmental community, with the Communications Security Establishment, and with the other security and intelligence services to provide the cybersecurity envelope for the Government of Canada. This is a government-wide issue. As has been pointed out by the committee, it doesn’t respect borders or boundaries. That kind of integrated whole of government approach is essential and we are part of that approach.
Senator Boehm: I have a couple of questions. One is on coordination and coordination of training. In my distant memory, I know there was a committee of deputy ministers dedicated to mission security. It lasted for about two years. At least that’s how long I was the chair of that committee. I don’t know if it still exists. Part of what we were trying to do is to get the Commissioner of the RCMP, the Chief of the Defence Staff, the Director of CSIS and others all around the table to look at common approaches.
We discovered in some of our missions where we had representatives, shall we say, of the larger governmental community that the standards and advice differed. Some would say there was no security training required in a particular case or it was being made an unaccompanied mission for their people. In fact the Global Affairs people would be accompanied by dependents and spouses. There was an inconsistency there.
I am hearing that the oversight committee that has been created has elements from across government. While it’s a Global Affairs structure in many missions, the majority might be from our Immigration and Refugee Department or Citizenship Department.
Could you comment on that?
Ms. Jeffrey: We are continually addressing this very important issue. There’s a very high degree of collaboration under the leadership of the head of mission who, for the want of a better analogy, is the CEO. They are responsible for what happens in an embassy or high commission abroad and have the responsibility to ensure the safety and security of all the staff within the mission, regardless of what government department they are representing.
We work very carefully. There are circumstances where very legitimately another department such as the Department of National Defence may be carrying out particular duties and operations that put them in a different set of operational security protocols. That is recognized and understood.
There are weekly meetings at which we discuss and collaborate on different issues that may arise as threat information comes in and as we decide how to react to try to ensure we have a common approach to protecting Canadian government staff that might be working abroad and the consular side of my responsibilities. Where risks apply equally to Canadians who might be travelling abroad for business, education or tourism, we ensure that they are also warned and protected to the extent we can. We have a no double standard policy in that respect.
It requires quite intensive collaboration. We have operational contact on a daily basis with the other agencies that are deployed.
Senator Boehm: The duty of care element is pretty well standardized across government, regardless of department or agency.
Ms. Jeffrey: Yes.
Senator Boehm: I have a second question and it is on duty of care. Many of us are aware of the Havana syndrome case. Senator Bovey mentioned that at the beginning.
I met with the impacted employees. It was not just employees who were impacted. There were children as well. I know a lawsuit has been filed against Global Affairs Canada.
Are there lessons to be drawn from this in terms of duty of care reaction? I know the cause is still not clearly determined. It may be unprecedented or whatever. There are theories on that. In terms of the departmental response and duty of care, could you give us a bit of an update?
Ms. Jeffrey: Obviously I will not comment on matters before the courts. However, this is an example of an emerging issue that is affecting the health of our staff which has no precedent in our experience.
We have tried to take an evidence-based approach. We are working with medical research professionals, with the whole of government security effort, including RCMP-led investigation into causes. We have been meeting regularly with the staff that are affected to take their feedback and to work closely with them to ensure we have a full exchange of information as we work toward trying to identify a cause.
With all security incidents and issues, including health and safety impacts regardless of their cause, we continually conduct a lessons learned and feedback approach explicit in the case of international crises and emergencies. Similarly in these situations we try to continually improve our responses.
Senator Boehm: In designating Havana as an unaccompanied diplomatic post, is that what other countries are doing? Has the U.S. done the same? They were affected as well.
Ms. Jeffrey: To date, it is only Canadian and U.S. diplomats that have confirmed cases of personnel affected by these incidents. Both Canada and the U.S. have withdrawn dependents from Havana.
Last month we took the decision to downsize our footprint at the mission in Havana by 50 per cent to further reduce our exposure on the ground. We’ve put in place additional security mitigation measures that I won’t speak to in detail here for obvious reasons, but this issue requires very close collaboration with both our whole of government security partners as well as with our international partners.
The Cuban government has offered its full cooperation. We are in close contact with the U.S. task force in responding to these issues as well.
Senator Bovey: To follow up, I appreciate what you said about Cuba, so I’ll move elsewhere.
Going back to lessons learned and may I say the safety of staff in health situations, could you tell us what lessons have been learned? Is Global Affairs taking any steps following the incidents in Salisbury? Then we could go to something perhaps more physical than that, such as the issues in Paris and London.
I’ve been to both those embassies since some of the uprisings. I am aware of some of what’s going on. I guess I want assurance that from all these international incidents we are taking lessons learned.
There have been a number of global health situations. What kinds of care, prevention and concern do we have for our staff when they are deployed to places where there are Zika virus or any of the Ebola issues we’ve seen elsewhere? What steps do we take?
To use your phrase, that’s part of being concerned for the risk of life and safety of staff. It’s multi-dimensional. Much of this is beyond the audit, but it is part of the care and service of our personnel.
Ms. Jeffrey: Yes. First, we have a very well-developed 24-7 crisis response unit. The emergency watch and response centre is based at Global Affairs. It’s an operation centre staffed around the clock that responds to incidents overseas. They use a variety of different social media tools, platforms and IT technology to have early warning of events as they emerge.
These days it’s often through social media from people exposed to the actual event that you can become first alerted. We have very good analysis and reporting. They reach out immediately to missions on the ground to notify them of what is happening in their region. They reach out to readiness and security program managers.
One of the most exciting developments about the duty of care funding has been the deployment this year of over 30 readiness and security program managers to additional locations abroad. Because of the concept of it in particular, it’s not just a security program manager but it is about readiness. It is about mission emergency plans, evacuation plans that people were asking about earlier, and the exercising of these plans with our staff so that we are prepared to respond to emergencies.
We have an incident command structure in our embassies that understand and have worked together with a variety of other departments that support them on this end. We have an international task force structure that comes together.
This is particularly important in the case of health emergencies which cross a wide variety of different competencies both here in Ottawa and in the field, internationally in the UN, and in the global system as well with the WHO and other responders.
You will remember the Ebola crisis of recent years. There is currently an ongoing Ebola outbreak in Africa that we report on daily and monitor closely. We need to make sure we have the appropriate health and security measures in place for our staff and to make sure that international humanitarian responders and humanitarian assistance is going from other parts of our department to support the response in the field.
Global health emergencies are very important, in particular to look at the governance around them. We learned good lessons from the SARS crisis response and the Ebola response of previous years in terms of operating procedures and membership in our interdepartmental task force that stands up whenever there is a crisis.
The Public Health Agency of Canada, Health Canada and their extended networks participate in the task forces. They provide us with technical and medical advice as required in addition to the services of medical advisers that we contract ourselves to advise our staff on deployment.
It is one of the more complex types of emergencies, to respond to you, but we have a formalized lessons learned approach. After every crisis and every task force there is a hotwash. There is a very detailed process to identify recommendations and to track those recommendations going forward. This was actually the subject of a previous audit last spring when they documented that response.
Senator Cordy: I want to follow up to Senator Saint-Germain’s question about formalizing the Auditor General’s recommendation to put a process in place for identifying, prioritizing and approving physical security projects at its missions to ensure that funds are appropriately allocated.
You said in response to Senator Saint-Germain, I believe, that you prioritize projects that have to be done.
Ms. Jeffrey: Yes. In the audit there was an observation that most of the previous program security funding in the past we had gone only to three missions. That was an example of the fact that at the time we had three extremely high-threat missions. Locations like Afghanistan and Iraq obviously require significant security measures, including close protection and additional equipment and personnel that are very costly.
As a result of Canada’s extensive involvement in those environments, the majority of the previous security funding programs went to support the security and safety of our staff in those missions.
With a much larger investment program such as duty of care and the $1.8 billion over 10 years, it is true that it is really important to prioritize across crises. It’s not necessarily that the lowest priority security mitigation in Afghanistan ranks above the highest priority in a place like Haiti or Mexico. We need to be able to prioritize across the global environment.
That is what the global security framework we just operationalized was set out to do. It’s to weigh each individual measure in terms of its impact on the actual safety of our people and to make sure the highest priority ones are addressed first.
Senator Cordy: Things can change from today until tomorrow, so I assume you have flexibility in your prioritization.
Ms. Jeffrey: Yes, and that is part of the governance structure. It can meet virtually. It can meet frequently. It can meet on a weekly basis, if necessary, to move projects up the list, for example, in a case like Havana as the scope and impact of the situation emerged.
Whereas Havana might not have been three or four years ago the highest on the list of physical security mitigation, obviously measures there are much more important in the wake what occurred.
It’s one example among many. I would also add Port-au-Prince to the list. In light of the now more violent protests we have seen, additional mitigation is being prioritized to make sure we continue to operate.
Mr. Danagher: I would quickly add that you neglected to mention the global security framework that is refreshed very frequently. It’s a very formal process to be constantly assessing our external environment and using that information to inform which ones are top priorities. This was something we put in place with the previous tranches of funding we got.
Senator Dean: I have a quick, specific question on personal safety. Is there a policy, or to what extent in medium- to high-risk situations is there a system in which there are cellphone alerts based on security threats or incidents that people become aware of?
If I am out in a mall in Nairobi and away from physical security, am I likely to get a cellphone message if there is a known threat? Is that standardized, or is that something that is optional by mission or something dependent on the capacity to do that by mission? Is it done at all?
Ms. Jeffrey: This is an important part of the staff safety plans in place at different missions. It relates to the movement protocols. There are rules in each mission about go areas, no-go areas, time of day and curfew depending on the environment.
In some environments there are different communications tools because not every country has the same communication configuration. In some countries we use personal radios. In others it’s cellphone based through automated call trees, direct calls or SMS. There are a wide variety of systems.
Domestically in Canada we have an SMS-based and voice phone system that automatically notifies people. We have automated call trees. Those messages go out and staff are very quickly informed.
I referred to our watch office. With every incident, the first thing they do when they contact a mission is to get the mission’s roll call. Where are the staff? Not just Canadian-based staff but also locally engaged staff. The first thing we ask is: Where is everyone? Are people safe? What are your instructions for movement? That is a standard part of our operation.
Senator Coyle: If I may, I would like to take us back to the audit, although I’ve found all of this discussion very important and interesting.
I believe I heard you say that you found this audit to be very helpful to you. Could you speak to that? That’s my first question.
Ms. Jeffrey: Yes. Because we have just embarked on this 10-year program of very significant investment, it is particularly useful to have the views of an independent outside body on where our governance structure needs improvement and on the documentation. Audits look, very appropriately, at what you’re doing, how you are tracking and documenting, and can prove what you’re doing.
The systemization and the need for integrated tracking that is automated and continually verifiable is very important. Certainly, one of the early achievements of the duty of care investment is an enhanced security information management system.
We always had one, but it was much more limited in terms of the types of data it could manage. It now tracks the vulnerability and threat assessments and each individual measure identified for mitigation. We can track the status of its completion and follow up. We’re continuing to add more functionality to these tracking systems, which are essential in a modern foreign ministry. The audit is helping us to identify those areas.
When the auditors come back again to verify, we hold weekly meetings to look at the status of audit implementation and to see how we’re doing against the markers we laid out in response to the recommendations. These information management systems are very critical.
The audit played a very important role in informing how we look at those to make sure we have the ability to demonstrate all of the measures we have in place.
Senator Coyle: It’s helpful for us to understand your perspective, which is the most important perspective here.
If this audit had not happened, how much of this would you have done anyway? Over and above the physical security being dealt with here, is there another area of audit required that you would see as a priority also requiring attention?
Ms. Jeffrey: We also have an internal audit and evaluation function within the department. Actually physical security and real property were the subjects of an internal audit last year. The recommendations align in the OAG, recognizing that we had just undergone an internal audit. We used that audit and built on its recommendations as they referred to.
It allowed them to go further in their recommendations, but we have an internal audit function for which this significant program is a regularly scheduled piece of analysis that they do. The recommendations are similar.
Senator Coyle: Are there areas where you might want further audit support?
Mr. Danagher: Be careful.
Senator Coyle: No, I am interested. This is the physical side of things but you’re dealing with much more than that.
Ms. Jeffrey: Yes. In addition to our internal audit this year, we underwent a consular and emergency response audit and a physical security audit from the OAG. We also underwent an OAG audit along with other government departments on business continuity operations and how we’re assuring continuity of services. There has been a thorough suite.
Senator Housakos: It is reassuring to hear a witness say earlier that they use outside security forces and intelligence organizations on a regular basis. I appreciate the fact that you guys cannot get into the details of that. We’re not here to discuss security secrets and jeopardize the system that is in place. It is reassuring to hear we actually have people who know about security that are engaged with Global Affairs.
Knock on wood. We haven’t had any major incidents that call into question the systems that you already have in place. The proof is always in the pudding. You guys must be doing a good job. We’ll keep our fingers crossed that you continue to do a good job because it’s the matter of the security of our people.
I am going a bit further than my colleague. In terms of value for dollars for the particular audit, when it’s all said and done and Auditor General commissions an audit like this one, I understand the million dollar hit doesn’t come from Global Affairs. It comes from parliamentary estimates. It’s $1 million that the Auditor General thought would be best utilized to conduct this audit.
Again I am going back to this theme. If you had an extra $1 million in your annual budget to conduct a security audit or to upgrade security, would $1 million be a critical need, or do you feel that we got value for the money?
By all means feel free to speak openly. There are very few people that will hear the answer.
The Chair: I think we have a very large audience. At least I would like to think so, as the Senate.
Senator Housakos: I always speak freely, so I encourage you to do the same.
Ms. Jeffrey: The question of the value for money is really a question for the Office of the Auditor General. I spoke already to the value we’ve taken from the audit that was conducted.
Senator Massicotte: We need to hire an auditor to audit the audit.
Senator Housakos: That’s for another committee, but call me; I’ll be there.
The Chair: I thank you for coming and responding. We purposely said that we would like to have the Office of the Auditor General come and then to have a response. It was helpful to the committee to have both the Office of the Auditor General here today and your response at the same time.
At another time I would like to pursue Canadians abroad, particularly through consular services. It has always amazed me how mobile Canadians are and how private they are about their comings and goings. At any given time, we really don’t know how many Canadians are where. That is how it should be, but when a crisis occurs all eyes are on some embassy to ask, “What are you doing about it?”
I know the struggles with today’s communications, et cetera. This committee could benefit from an update on how you go about consular services in that broad field. It isn’t just those responsible citizens that go in and register at the embassy. You can easily locate them. There are many that do not do it for a lot of reasons. I think that is something this committee could explore.
The other point is that you used the term “evidence-based.” When you look at missions and personnel in crisis, you use an evidence-based approach. I hope you would also take into account a preventive approach. We don’t want you to act precipitously and incur the cost. On the other hand, if we wait for evidence we can put people in jeopardy needlessly.
I am speaking for myself. I don’t know if I speak for the committee. Perhaps you could look at that concept because the world is a very different place today. Getting evidence in Cuba is just one example. I could give you some others. I am sure you’re aware of even more where we have a duty of care, which means not only the department and not only the government but Parliament. If we send people abroad, we should take extra cautious measures to ensure that their safety is protected to the extent they can. Somebody used the term “reasonable risk.” We need to ensure there’s an evidence base but also a preventive base in those situations.
Thank you for coming. We trust that we can keep a dialogue going with Global Affairs. We have had that in the past, and I look forward to that in the future. On behalf of the committee, I thank you for coming.
(The committee adjourned.)