Effective Security Accountability
© 2009 FrontLine Security (Vol 4, No 3)

In an excellent paper entitled “Accountability in and for National Security,” Professors Reg Whitaker and Stuart Farson address the “complex system of accountability that applies to ­government departments and agencies responsible for Canada’s National Security.” From this, we can distill some key thoughts on accountability that are applicable to security practitioners, who by their profession are both contributors to, and consumers of, intelligence.

Not a review or critique of the Whitaker and Farson paper, I offer these additional considerations for policy makers and implementers who are focused on mission success. Security practitioners at all levels remain accountable for the security advice and recommendations that they make to their superiors.

Reg Whitaker and Stuart Farson are eminently qualified to write on the topic of accountability. Dr. Reg Whitaker is a distinguished research professor emeritus at York University and adjunct professor of political science at the University of Victoria. He served on ­advisory panels into Commissions of Inquiry regarding Maher Arar and the bombing of Air India Fight 182.

Dr. Stuart Farson is an adjunct professor of political science at Simon Fraser ­University and acted as research director for the parliamentary committee that reviewed the CSIS Act. He was called as an expert witness in the Commission of Inquiry regarding Maher Arar, as well as in other cases of national security litigation.

Accountability in and for National Security
Whitaker and Farson identify the difficulty defining and framing the concept of accountability, its challenges in the face of secrecy, the reluctance to share information, and the complexity arising from the myriad of security agencies and accountability bodies to be overseen and coordinated.

From its origins as “a constitutional convention in Westminster systems of government” and how this begat ministerial responsibility, the authors provide an interesting historical perspective of accountability. They guide the reader through several timeframes of Canadian national security accountability, from Confederation until 1970, during which “Canadians by and large appeared to accept that national security agencies should work in secret.”

The 1969 Royal Commission on Security (the Mackenzie Commission) was launched to address shortcomings of the Official Secrets Act, described by the Commission as “an unwieldy statute, couched in very broad and ambiguous language,” as well as to investigate a security lapse in a federal institution. The commission recommended improvements to security procedures and greater accountability mechanisms for security agencies including the formation of a civilian security agency.

The change in emphasis from external to internal threats in the 1970s led to the 1981 McDonald Commission recommendations for a “new institutional architecture to achieve a greater degree of accountability” over the national security apparatus.

The CSIS Act of 1984 also provided legislative support to accountability (including internal controls), as did the enhanced role of the Inspector General and the Security Intelligence Review Committee.

The authors note the end of the Cold War era was replaced by Canada’s commitment to Washington’s “war on terror” after 9/11. Commensurate with this, oversight positions were established in the Communications Security Establishment  (CSE), and ad hoc review bodies as part of public inquiries were increasingly used.

What is Accountability?
This seemingly straight-forward concept is the subject of much discussion among security policy makers and authorities. At its essence, the concept of accountability demands both justification of an action or inaction, and the acceptance of responsibility for any repercussions that may ensue.

Figure 1: Accountability in support of national objectives.
Figure 2: Approaches to security oversight

Security or intelligence practitioners, especially in management, should not shy away from accountability. When accepting this, however, they must  ensure that they know to whom, and for what they are accountable, and that they are given the authority and resources to exercise their responsibilities.

The Treasury Board of Canada Secretariat (TBS) notes that their Management Accountability Framework (MAF) was developed to provide “a list of management expectations that reflect the different elements of current management responsibilities [and] focuses on management results” Thus it may be suggested that, if the accountable individual is provided with a clear set of expectations (typically a job description or terms of reference), that are divided and presented in a manner that ­promotes mutual understanding, then accountability can be established.

Perhaps the greater question is, why have accountability at all? The answer, lies in the more practical and linear concept of mission success. Figure 1 (below) illustrates that the mission requirement to protect Canadians imposes the need to develop intelligence and security processes, as well as to derive the operational authority and methods to implement those processes. Such actions must be permitted by law, which itself must provide the requisite freedom to the security practitioner to implement the processes necessary to achieve the mission. This process should be unencumbered by “political” interference (such as for reasons other than mission success) but constrained by an accountability framework based on Canada’s principles of openness and respect of differences, “attachment to democracy, the rule of law, respect for human rights and pluralism.” (what is being quoted here?) “Since there is no conflict between a commitment to security and a commitment to our most deeply held values,” (what is being quoted here?) presumably the controlled implementation of intelligence and security processes will result in mission success, that is, the protection of Canadians in support of national objectives.

A common thread through this linear model is the trust that is instilled into and maintained by the public both as individuals and through their elected officials. Accountability provides the framework and the basis for this trust.

Accountability is Individual
Wendi Peck and William Casey, in their article entitled Why accountability still counts in corporate America, note the example of the Soviet Union where “everyone was accountable for the output of the farm … that left no one truly accountable – and everyone hungry. Collectivist accountability didn’t work.” Many large organizations continue to hold executives collectively accountable, with no one person provided with the required authority and resources to meet his or her often unspecified portion of the business goals.

Peck and Casey suggest that it is laziness on the part of the managers in not assigning goals and expectations to individuals rather than instituting “single-point accountability” where individuals are held responsible for their performance and that of their subordinates.

Fortunately the TBS Management Accountability Framework, and Canada’s new Policy on Government Security (PGS), contribute to individual accountability. Its security program indeed “begins by establishing trust in interactions between government and Canadians and within ­government.” The PGS identifies Deputy Heads, Ministers of the Crown, Ministers, and ­Ministers of State as being individually responsible for the protection of personnel and assets under their control, and threatens consequences (“measures deemed appropriate”) for non-compliance with the policy.

This enhanced accountability requirement should focus senior decision-makers on ensuring that their departmental security programs are staffed with knowledgeable security practitioners and strong security governance.

At the highest levels, Whitaker and ­Farson have postulated, as one of their two key recommendations, the enhancement of Parliament’s role in the accountability process, “in close coordination with existing and enhanced review and oversight bodies. An important caveat is that increased accountability should not hinder the operations of those engaged in protecting Canada’s national security.”

Accountability is More than Compliance
The shift from rules-based security to threat-risk-based security in the government of Canada recognizes the “one size does not fit all” premise when implementing security safeguards.

The new Treasury Board Secretariat PGS rules stress the requirement for continuous risk assessment and adjustment of controls (safeguards) as necessary, based in part on support and advice from lead security agencies. Simply adhering to and demonstrating compliance with security baselines or minimal standards is inadequate within the current dynamic threat environment. Those who are individually accountable for protecting valued assets, typically through the establishment and maintenance of an effective security program, will require adequate numbers of properly-trained security practitioners in order to effect their accountability.

It follows (see Figure 1) that a failure to recruit, train and develop effective staff who can conduct true security risk management (including the implementation of appropriate security safeguards) would be inconsistent with demonstrating accountability to the Minister, to the government at large, and to Canadians.  

Accountability is complex
Emanuel and Emanuel from the Harvard Business School suggest that there are three essential components to accountability: its loci, or the parties that can be held accountable; its domains, or activities for which parties may be held accountable (also outlined in the TBS MAF); and its procedures for determining compliance and for disseminating evidence to the appropriate parties.

Complexity, with respect to the intelligence and security apparatus itself, is a real challenge. One needs to peel the myriad layers of vertical and horizontal governance and relationships among government ­entities, including operational relationships (some formal, some not), and, in some cases, the idiosyncrasies of key participants.

Whitaker and Farson lament a lack of a “system or network of accountability procedures [due to] poor linkages between many of the key elements” (most notably Parliament). Their other key recommendation, which would address this shortcoming, is to integrate accountability mechanisms “across institutional boundaries.”

In this manner, the scope of oversight and review would parallel the various intelligence and security agencies. Since information sharing, integration and fusion into useful products is a goal of both intelligence and security, it follows that accountability could be similarly integrated. Economies of scale, consistency, as well as complete review and auditing could be achieved to improve upon the current state of accountability for national security, which has been disparagingly described as “an ad hoc, piecemeal and uncoordinated fashion, resulting in a complex patchwork that defies easy rationalization around coherent principles.”  (to whom can we attribute this quote?)

While accountability is demonstrably complex, it need not be complicated. Effective accountability should be both singular and linear. The trick is to find the key recipients and work back until each accountable person is identified. The next step is to ensure that each has clearly written accountabilities, and is accountable to only one person for each operational function. In the case of uncertain or conflicting accountabilities, gaps in accountability will likely emerge and will constitute a serious breach in the overall security posture.

Once effective accountability is established, validation can be conducted by the integrated entity responsible for an operational function (for example, provision of national security, intelligence-gathering, or maintenance of an integrated departmental security program). This would be consistent with the fundamental security principle of centralized control and decentralized execution. Integrated accountability would establish new accountability baselines that better reflect the wishes and expectations of our political leaders and of Canadians.

Accountability Requires Competence
In its overview, the Management Accountability Framework describes competence as “essential… choices made by public service managers… assigning clear accountabilities, with due regard to capability.”

Competence takes many forms when addressing accountability. First and foremost is the technical competence in one’s security or intelligence specialty. Security and intelligence practitioners are expected by their superiors to provide reasoned security advice. In return, these practioners should expect to receive timely training, education and opportunities for professional development, primarily through a succession of more demanding assignments, aimed at enhancing their technical competence.

Operational competence, in this context, is the ability to adapt to circumstances in a dynamic threat environment and adjust the security posture to meet changes in risk. This requires an in-depth knowledge and continuous professional reading and learning of likely threats, vulnerabilities, and, perhaps most importantly, the most current technical or non-technical safeguards that can be applied.

Another aspect of competence and accountability is the maintaining of mutual trust. Superiors must be able to trust subordinates and gain their trust respect of handling ­sensitive information upon which security recommendations are made.

Similarly, internal and external reviewers conducting oversight activities must be trusted with this sensitive information. This requires a complete understanding of asset valuation, criticality assessments, sensitive data collection methods, and risks to intelligence operatives should there be a security breach. An extensive background check and granting of a security clearance is the first step, but as critical to mission success are continuous supervision of and assistance to new participants in intelligence and security activities, by experienced reviewers and security specialists, to ensure that no security or intelligence activities are compromised.

At the highest levels, accountability must lead to the public’s trust in its security and intelligence institutions. Security and intelligence practitioners can add greatly to this trust through their continued and demonstrated technical and operational competence.

Accountability is Achieved by Effective Oversight
Whitaker and Farson distinguish between oversight and review as a security practitioner distinguishes between monitoring and audit (Figure 2). The security practitioner considers oversight to be more general and continual within a program, while the authors define oversight as including “some degree of before-the-fact scrutiny.”  They consider both efficacy and propriety of security and intelligence entities subject to accountability requirements. They consider that efficacy (doing the right thing and doing things right) should be ensured both before and after the fact while investigating accountabilityfor propriety (doing things for the right reasons and not doing the wrong thing) is typically conducted after the fact. Efficacy also includes compliance with policy and regulation, but accountability is far more than simple compliance. The authors cite circumstances where scrutiny bodies did not have control over both efficacy and propriety, or where one or the other did not extend to all domains, and this is a limitation to effective security oversight.

Investigating accountability for propriety after an incident becomes public is reactive. It can be costly to strike and maintain the investigative body. It is a fundamental principle that security is much more costly to retrofit (especially after a breach), so the emphasis should be on properly designing security into programs. This holds true as well for accountability in that, if investigative and oversight bodies spend more time in prevention by reviewing efficacy in security and intelligence agencies, then there will be fewer requirements to investigate for impropriety. Effective security oversight ensures accountability, and vice versa.

A recent incident of lack of accountability in the realm of security (in this case personal security) concerned the Ontario government’s eHealth program. The President and CEO, Sarah Kramer and her group of senior bureaucrats, were found guilty of misappropriating $5.6-million in sole-sourced contracts and also found delinquent in providing documentation to justify the spending through circumventing procurement policies at eHealth Ontario. This program is designed to provide centralized electronic access to health records, thereby reducing errors, improving diagnosis, and saving lives. According to the province’s Auditor-General, there were no checks and balances exercised over spending. “The report identified numerous eHealth Ontario projects that were behind schedule or over budget. The total cost of Ontario’s eHealth strategy is $2.133-billion between 2009-2012. $1-billion of that budget was deemed wasted over the last six years by the province. Other reasons for the lack of accountability included a complete lack of upfront strategic planning, as well as a lack of properly functioning systems for approving and monitoring expenditures. Another example in July of this year was that of a “low-earning provincial bureaucrat” in Ontario’s Office of the Public Guardian and Trustee who bilked 52 mentally ill, homeless and even dead people of between $1,000 and $400,000 over a 12-year period for a total of $1.23M. This bears witness to the obscene degree to which a lack of personal accountability, combined with an absence of procedural and professional accountability, can lead.  

Question to Ponder
The foregoing represents some contemplations of one security practitioner on the topic of accountability for all security practitioners. Hopefully, these will elicit some discussion among professionals, and encourage readers to skim the source paper by professors Whitaker and Farson. It will be time well-spent.

Accountability may be said to be somewhat like security itself, in that it is imprecise to determine when there is “enough.” Security practitioners walk a fine line between meeting credible threats and vulnerabilities on one hand, and applying excessive controls on the other. A failure on the low side may result in a successful attack, while a failure on the high side typically results in excessive costs, inconvenience and distrust in the organization’s security program. Like security, accountability must in the end be measured by the qualitative feeling of trusted security instilled in senior managers, political leaders, and Canadians at large who feel that they are being protected adequately and with minimal impact on their liberty, freedom of movement, and human rights.  

Dr. Wayne Boone, CD is an Assistant Professor at the Norman Paterson School of International Affairs at Carleton University and a retired senior military police officer. His research interests include security program management and governance.
© FrontLine Security 2009