Force suspended contract with Sinclair Technologies for radio frequency equipment last year
Late last year, the RCMP suspended its contract with Sinclair Technologies for radio frequency (RF) equipment. A recent audit found the RCMP complied with applicable policies and procedures. (Darryl Dyck/The Canadian Press)
Equipment the RCMP purchased from a company linked to China did not pose much of a security concern, according to a newly published audit.
The audit review did call for changes to the procurement process to bolster security requirements, however.
Late last year, the RCMP suspended its contract with Sinclair Technologies for radio frequency (RF) equipment in response to reporting by Radio-Canada that revealed Sinclair’s parent company, Norsat International, had been owned by the Chinese telecommunications firm Hytera since 2017.
The Chinese government owns around 10 per cent of Hytera through an investment fund.
While the public safety minister insisted at the time that there had been no security breaches related to the equipment, news of the contract raised concerns in Ottawa about the risk of espionage targeting Canada’s national police service at a time of rising tensions between China and Canada.
Mounties were hauled before a parliamentary committee to explain the reasons for the purchase and promised to review the contract “to ensure due diligence was conducted and that appropriate safeguards were taken.”
The RCMP’s Internal Audit, Evaluation and Review wing, billed as an independent branch that provides the commissioner and senior management with information, took on the task.
Its audit was finished in June but was made public only recently with redactions. It
found the RCMP complied with applicable policies and procedures.
According to the audit, the RCMP’s departmental security branch consulted with Canada’s cyber intelligence agency in December and the Communications Security Establishment’s opinion was that the RF filtering devices “would not compromise encrypted communications based on the RCMP’s application.”
“Although subject matter experts confirmed that the equipment in this [standing offer] is low risk and does not compromise secure communications based on the RCMP’s application, some lessons learned and opportunities for improvement exist to enhance the consideration and articulation of security requirements in procurement processes going forward,” said the review.
Security form checklist outdated: audit
The audit said that the Treasury Board’s security requirement checklist, a document used to identify security requirements during the procurement process, is outdated.
The “form is from 2004 and that there are some gaps in the questions (e.g. cloud, cyber security and other sensitive aspects linked to national security which are not captured) and it could be more robust to assess modern risks in security,” said the audit.
The audit committee recommended that the force implement controls to ensure RCMP security requirements are included in contracts, and to determine when additional security controls are necessary.
(Marc Godbout/Radio-Canada)
The review identified several additional security processes and controls available for procurements. While the procurement of RF filtration equipment did not trigger any of those processes, the audit found they can be requested on a case-by-case basis.
“The review found that the RCMP does not have formal guidance in its policy manuals on when additional security processes should be requested for procurements that do not meet the established criteria,” it said.
The audit recommended that the RCMP develop internal guidance related to additional security processes and controls.
U.S. banned imports of Hytera equipment
The audit revealed that the RCMP did grant clearances for six Sinclair contractors in the event that work might be required on RCMP premises. They were granted “facilities access level 2” status, meaning they were not given access to protected or classified information, systems, assets or facilities.
However, the requirement for a level 2 screening was not included in the standing offer requirements.
“This may increase the risk that intended security controls will not be applied,” said the audit.
Deputy Commissioner Bryan Larkin, head of specialized policing services, said he supports the findings.
“We will continue to comply with applicable policies and procedures, and will work with internal and external stakeholders on the report’s findings, as authority on these matters will ultimately rest with Public Services and Procurement Canada,” he said in a media statement.
The RCMP’s audit team said it will monitor the implementation of the management action plan.
The United States Federal Communications Commission (FCC) banned imports of Hytera equipment last year, identifying it as one of several Chinese firms that pose “an unacceptable risk to the national security of the United States or the security and safety of United States persons.”
Hytera is facing 21 espionage-related charges in the United States. The U.S. Department of Justice
has accused the company of conspiring to steal technology from the American telecommunications firm Motorola.
