OTTAWA - A pair of internal government reports confirm there have been repeated security failures in contracts involving secret technology and classified information, including confidential military blueprints.
The reports, suppressed for almost two years, buttress some initial findings by the auditor general in 2007 but suggest the problem has been even more widespread than first reported.
One of the newly released reports, commissioned by Public Works from the consultant firm Deloitte and Touche, examined 181 contracts that required tight security clearances for firms providing equipment and services to the federal government. Some were awarded to military contractors, such as McDonnell Douglas Corp. and Thales Canada Ltd.
Deloitte found that 87 of them had "ongoing security deficiencies" because key security elements of the contracts were not enforced or monitored properly.
"Unless these ongoing deficiencies are resolved, there is an ongoing risk that a security breach could occur," says the November 2008 document.
A second Deloitte report, into 153 so-called standing offers, found similarly sloppy security arrangements for 80 of them.
Auditor General Sheila Fraser examined a smaller sample of 86 similar contracts in 2007 and found 24 of them proceeded without the required security clearances and checks.
One of the most serious breaches Fraser discovered was a construction contract for the NORAD Above Ground Complex at North Bay, Ont., where security checks were not satisfactorily completed for the 16 construction companies hired to build the facility.
"National Defence does not know whether information or the building itself has been compromised," she reported. The department later had to significantly modify the structures to ensure they were secure.
The latest findings, raising concerns about the security of military procurements managed by Public Works, come as the federal government presses ahead with the $9-billion acquisition of 65 Joint Strike Fighter jets, Canada's largest-ever military procurement.
The F-35 purchase, which may provide work for up to 100 Canadian firms, involves top-secret, leading-edge technology that will be shared by the United States government only with trusted allies.
The Canadian Press requested the Deloitte and Touche reports in November 2008 under the Access to Information Act. But the documents — which say they are "not intended for general circulation or publication" — underwent a long, tortuous journey before they were finally released.
They were first sent for lengthy consultations to National Defence, Fisheries and Oceans and to the Privy Council Office, the prime minister's own department.
The reports also became the subject of a Federal Court case launched by Provincial Airlines Ltd., which objected to release of the material. The airline, which provides maritime aerial surveillance for Fisheries and Oceans, was cited in an appendix though not subject to any criticism by Deloitte.
Lawyers for Provincial Airlines argued in a St. John's, N.L., court in January this year that the appendix contained confidential commercial information about its security status with the federal government — and disclosure might make it a "target for infiltration."
But a federal court judge dismissed the application in March, calling the company's concerns about infiltration "entirely speculative."
The reports refer only in generic terms to the types of security lapses identified, including failure to lock up secret material. The findings apply only to Public Works officials, rather than to private-sector companies, because the department is directly responsible for ensuring contract-security provisions are enforced through its Industrial Security Program.
A spokesman for Public Works says all of the problems identified by Fraser and by the Deloitte reports have been resolved, through beefed-up training, tighter controls, more thorough processes and increased hiring.
"We have implemented a robust action plan to ensure a strong and effective Industrial Security Program," Sebastien Bois said in an email response to questions.
No actual security breaches were identified in any of the reviews, though Fraser noted that her audit was not designed to find them. Bois said there have been no such breaches subsequent to the two Deloitte reports, which cost taxpayers almost $370,000.
The Industrial Security Program in Public Works will grow to 240 people in 2011-2012, he said, up from about 150 in 2007 when Fraser reported that the section was severely understaffed.
The Industrial Security Program has given federal security clearances to about 6,000 private-sector organizations and to more than 370,000 individuals.