Security breaches at the NML: internal and public paths to truth-telling
Or, beyond Coles' notes
Prelude:
This is the promised longer version of the ‘Coles’ notes’ takeways that I posted on March 5.
Parliament was treated on the late afternoon of Wednesday, February 28, to a vast document dump of records related to security breaches at Canada’s only level 4 biosafety laboratory, the National Microbiology Lab (NML) in Winnipeg, managed by the Public Health Agency of Canada (PHAC). At issue were the practices of two Chinese-born scientists, a husband and wife team, Dr. Xiangguo Qiu and Dr. Keding Cheng, long domiciled in Canada. They were subject to an internal investigation, later to a CSIS security assessment, and were then stripped of their security clearances (a precondition for work at the Lab) and fired. Both scientists had been employed for years by the PHAC. In Dr. Qiu’s case, she joined the Canadian Science Centre for Human and Animal Health at the NML in June 2003. Her partner, Dr. Cheng, joined NML in 2006.
There is an RCMP investigation ongoing, but no charges have ever been laid for breaches of the Security of Information Act. In all the released documentation, there are no indications that Drs. Qui and Cheng conducted any acts of espionage or were operating under the instructions of any foreign entity.
What they can be indicted over is a profound carelessness and extraordinary naivete about their activities, cloaking themselves in an otherworldly realm as just very busy scientists doing their scientific work. They claimed they had no knowledge and no regard for the geopolitical circumstances or dangers of their work. To the pair, dealing with scientists in China , even ones in military uniform, was nothing more than business as usual, though Dr. Qiu was certainly not open about some of her activities in China when she was put under the security microscope and CSIS set to work opening up her engagements in that country.
Drs. Qiu and Cheng both blamed the Public Health Agency for failing to give them proper training in security procedures and principles. While that is a bit rich, there is plenty to blame PHAC for.
The Minister of Health, Mark Holland, admitted in a media scrum on the day of the documentary releases that the lax security procedures at the NML were unacceptable. He also tried to suggest, very unconvincingly, that they were a product of a different time, when less was understood of foreign interference by state actors like China. Let’s be honest, plenty was known about Chinese foreign interference threats by the government’s security and intelligence system in the 2018-2019 time frame when these incidents first came to light.
It took a scandal before PHAC acted. The agency released a very general statement on February 28, 2024, indicating that:
“Since 2019, the PHAC has invested significant time and attention to ensure research and science are conducted across the organization with a firm security mindset. “
A firm security mindset, eh. I wonder what that is, exactly?
The statement goes on to say that PHAC has instituted training and communication on security and employee accountabilities and has a “strengthened Policy on Affiliations with academic, research and health care organizations as part of a suite of additional Scientific Integrity policies.” Strengthened may be a bit of a misnomer as there doesn’t seem to have been any pre-existing policy on “affiliations.” There is nothing on enhanced IT security protocols, which were revealed to be one of the many security deficiencies at the NML. Also seemingly missing in action is any reformed policy for RVs (not recreation vehicles, but “restricted visitors”,) which allows for a consecutive ten-day use of such passes at the NML without any security clearance, and requires visitors to be escorted at all times (which in the past they were not—too bothersome for busy scientists). Try out a ten-day visitor pass at CSIS or CSE, or anywhere in government really, and good luck to you.
Well, this is the usual government ‘tell’ but no ‘show,’ based on a rather old-fashioned notion that Canadians should trust government organizations to do the right thing, even in the aftermath of scandal. The better option would be more transparency and more concrete accountability.
If there is new training, describe it; new communications, give us an example or two; a new “suite” of policies (how corporate)—publish them. Time not to trust, but to verify.
The records released to Parliament indicate that security laxness at the NML was well-known and often circumvented by scientists working there to avoid bureaucratic delays. A recorded interview with a former director of security operations at the NML says it all:
“the security culture at NML is affected by personalities combined with a historic lack of adherence to security practices.”
Personalities refers, it would appear, to leadership, and to the star power of eminent scientists like Dr. Qiu. The bigger the scientific star power the more you could brush off troublesome security requirements in the name of doing science. Dr. Qiu was certainly a star at the NML, awarded the Governor Generals’ Innovation Award in 2018 for her work to create an effective antibody therapy for Ebola, one of the world’s most deadly viruses. The award was well-deserved and brought lustre and attention to herself and to the NML. What matter a few security lapses?
Where did the security controversy begin?
You have to dig a bit in the records to figure this out. But fortunately, some official put together a very handy “investigative time path” chart. This indicates that CSIS engaged in a routine outreach to the NML for a discussion on current security threats and the modus operandi of “certain state actors” in August 2018. At this point, a NML official identified the names of two employees who might be targeted and might be unaware of their potential vulnerability. Things got rolling from there, with CSIS doing some initial checks and the DSO (Departmental security officer) for the NML identifying some security breaches related to a “male employee,” and, through an open source check, discovering a patent in China that “contained the name of a female employee.”
The Chinese patent involved ebola treatments and listed Dr. Qui as one of the contributors. The concern was about how Dr. Qiu came to be associated with the patent and about the potential loss of intellectual property owned by the NML. The male employee tagged with security breaches was her partner, Dr. Cheng, a biologist with access only to the Level 2 lab at the NML, but who supervised students at the lab.
The issue was elevated to the level of the President of PHAC, who authorized an initial fact-finding investigation in December 2018. PHAC called in an outside agency, a security consulting firm called Presidia, based in Ottawa, to conduct the initial investigation, which began in December 2018 and reported on March 7, 2019. Presidia reviewed policy documents and conducted interviews, including with Dr. Qiu. When confronted about the Chinese ebola patent, Dr. Qiu claimed not to know about it, but said she recognised that some of the work was done at the NML. She also agreed that there should have been a formal “Collaborative Research Agreement” (CRA) but stated that “the paperwork takes too long and between the scientists the work gets done.” Bugger IP.
Overall, the initial investigation found an extraordinary laxness around visitor policy at the NML; multiple violations of IT security; and multiple suspected breaches of Intellectual property policy. It recommended a follow-up investigation.
The follow-up study, now called an “Administrative Review,” was also outsourced by PHAC to the same security consulting firm, Presidia. As the review got underway, Drs. Qiu and Cheng were informed that they were suspended from work with pay, effective July 5, 2019. The review was to be confidential.
Presidia delivered its Administrative Review on February 5, 2020, this time based on more extensive interviews and document studies. It generally enlarged on some of the issues around IP and security protocol breaches already reported in the first review, although it was a little more forgiving on the Chinese patent issue, where it could not deliver a definitive answer of wrong-doing.
Now we cut to CSIS. In the aftermath of the first Presidia report, CSIS was asked by PHAC to reopen a security clearance investigation regarding Drs. Qiu and Cheng, which it did in June 2019. The CSIS produced its first report ten months later, on April 9, 2020.
CSIS’s initial security assessment on Dr. Qiu came to the conclusion that she would not willingly cooperate with a foreign state to compromise Canadian interests but judged that she might be susceptible to foreign influence because of her naivete and disregard for work protocols that might slow down her scientific research. As the CSIS document relates, the fear was that she might give preference to science over security.
The same judgement was reached by CSIS with regard to Dr. Cheng, noting his willingness to flout security rules, especially with regard to the oversight of visitors to his lab, for the sake of his productivity. CSIS also noted Dr. Cheng’s expression of resentment at his past treatment by PHAC and worried that her might harbour a grievance that would make him a target for foreign exploitation.
CSIS followed up with additional information and a significantly revised security assessment of Dr. Qiu on June 30, 2020. As part of this new round, Dr. Qiu was subjected to a second screening interview on June 19. 2020. Her situation was worsening, as she would discover. But she failed to come across as forthcoming or even plausible in some of her stories.
The updated CSIS security assessment was focused on additional information the Service had uncovered about Dr. Qiu’s relationship with various Chinese institutions, researchers and ‘talent’ programs. CSIS pressed her about these relationships and found her answers unsatisfactory and evasive, in particular with regard to her connection to the Wuhan Institute of Virology. The Service this time reached a harsher judgement on Dr. Qiu:
The Service now assesses that Ms. QIU developed deep, cooperative relationships with a variety of People's Republic of China (PRC) institutions and has intentionally transferred scientific knowledge and materials to China in order to benefit the PRC Government, and herself, without regard for the implications to her employer or to Canada's interests. It is clear that Ms. QIU not only failed to inform her employer of these activities but made efforts to conceal her projects with PRC institutions… The Service therefore assesses that Ms. QIU has engaged, may engage or may be induced to engage in activities that constitute a threat to the security of Canada as defined in the CS/S Act (Section 2(a)).
It is important to note that the charge is essentially speculative-- “has engaged, may engage, or may be induced to engage.” It is about a potential security risk that Dr. Qiu was believed by the Service to present. The CSIS security report concluded with this note:
“We assess that despite her enormous scientific knowledge and contributions, her behavior is incompatible with holding a Government of Canada security clearance.”
In this saga, Dr. Cheng played second fiddle to Dr. Qiu. In the Service’s follow-up security assessment of Cheng it noted the likelihood that Dr. Cheng was well aware of his wife’s involvement with the Wuhan Institute of Virology and knowledgeable about her relationship with other Chinese entities and talent programs. CSIS found his answers frequently evasive or untruthful. CSIS concluded that Cheng also posed a security threat.
Following the CSIS reports, Drs. Qiu and Cheng had their security clearances revoked and were suspended without pay by PHAC on August 20, 2020. Both filed grievances, that were dismissed. Due diligence and administrative action ground on, with a “Review for Cause of Security Status” report of October 19, 2020. This report essentially followed the lines of the CSIS security assessments with some additional evidence from forensic examinations of Dr. Qiu’s and Cheng’s digital devices and computer activities.
Both scientists were given a final opportunity to respond, which Dr. Qiu did in a short note that expressed her character, innocence and desire to continue to contribute to Canadian research. She described herself as:
“A research scientist that almost pays no attention to politics, I have dedicated almost all my time to the beauty of science through hardworking and national and international collaborations, no TV watching, no time to take vacations. It was only during the investigation interview that I started to know some new words for me, such as "NATO", "Spy", and "espionage". Before the investigation, I had spent all my time enjoying my achievement and trying to achieve more. I certainly owed my success to
Canada, the most peaceful and multicultural country in the world, and I really felt proud as a Canadian. Thinking back, what happened in the past were purely due to the lacking of proper training, the misunderstanding and ignorance of the policies of PHAC that I should have spent more time to learn and ask. I sincerely hope you understand my situation.”
This plea was ultimately not enough. The President of PHAC was given various options to deal with the security clearance revocation of Qiu and Cheng. He decided to revoke both their reliability and secret clearances and to terminate their employment in letters sent on January 19, 2021. That was the end of the line for the two scientists.
What had initially been an internal matter was, by early 2021, fully in the public eye.
So let’s cross over to the evolution of public attention to the security breaches at the NML.
The media (both Canadian and international) first got wind of curious goings on at the NML in July 2019. The CBC’s Karen Pauls, based in Winnipeg, reported on July 12, 2019, that the RCMP had been called in to investigate a “possible policy breach at the NML.” Anonymous sources featured in a subsequent story by Karen Pauls, published on August 3, 2019. [1] Her sources indicated that a shipment of live Ebola and Henipah viruses had been sent by the PHAC to “Beijing” on March 31, 2019. The actual destination of this virus shipment, the Wuhan Institute of Virology, was not publicly known at the time. Karen Pauls was told by her sources that improper procedures may have been used in the shipment and that Canadian IP may have been lost. PHAC spokespersons denied this and suggested it was a routine matter, though the reality was that this was the first time that viruses had ever been sent from NML to the Wuhan Institute. In the aftermath of this report there was much speculation, including the question of the possible link between this shipment and an RCMP investigation of unknown scope.
Drip, drip, drip.
The curtain was lifted slightly in June 2020, again by the CBC’s Karen Paul. She reported, based on records released to her through an Access to Information request, that it was Dr. Xiangguo Qiu who had been responsible for implementing the virus shipment to the Wuhan Institute of Virology. [2] Given that Canada had, with the rest of the world, been plunged in the COVID-19 crisis at this stage, and Wuhan had been identified as the initial epicentre of the disease outbreak, questions were immediately asked about whether there was any connection between the shipment and the COVID-19 pandemic. One public commentator raised the stakes by saying the transfer was “potentially life threatening,” claiming that the Wuhan Institute was engaged in dangerous “gain of function” research with deadly viruses. PHAC officials denied any connection between the shipment and the COVID-19 outbreak (Ebola and Henipah, for the record, are not coronaviruses) and also stated, for good measure, that there was no connection between the dismissal of Drs. Qiu and Cheng, and the shipment, As the released documents confirm (at length) the shipment of the viruses had, in fact been properly sanctioned, with one senior official at the NML confidentlky asserting that he trusted the Wuhan Institute. [3]
The PHAC responses to early media versions of the story in fact obscured the scope of the security investigations which were, by June 2020, well underway.
The public path for the NML security breach story grew more public, more dramatic and more political in the following year, 2021. The special Canada-China committee of the House of Commons became seized by the issue and proceeded to create a major Parliamentary impasse. On March 31, 2021, the committee demanded the production of all government regards related to the shipment of the viruses and the termination of employment of the two scientists. The government turned over some records, (271 pages) but many were heavily redacted. This did not satisfy opposition politicians on the committee who demanded an explanation from the then-President of PHAC, Ian Stewart. Sensing a cover-up, members of the Canada-China committee didn’t buy his assertion at committee on April 26, 2021, that redactions to the records were necessary to protect privacy and national security. Even Liberal members on the committee, such as Robert Oliphant, found this claim less than believable.
Next step, the House of Commons issued an order for the production of unredacted documents on June 2, 2021. Then, rather belatedly, the Minister of Health at the time, Patty Hadju, never the strongest performer in Cabinet, referred the matter to the security-cleared National Security and Intelligence Committee of Parliamentarians (NSICOP), saying it would undertake a study.
By this stage, Parliament was having none of it, and NSICIOP became unfortunate road-kill, not trusted by opposition parties to perform an independent and thorough study.
Political shenanigans followed, with the President of PHAC given a symbolic beating by Parliament—“called to the bar,” to be admonished for his refusal to fully release records (which it was not in his power to do). The speaker of the House upped the ante by ruling that Parliament had the right to see unredacted records. The Government responded to the Speaker by slapping him with a law suit!
The Government no doubt hoped that its election call in August 2021 would put an end to the controversy by returning it with a majority government. That, as we know, didn’t happen.
With the return of Parliament in the Fall of 2021, the NML story was, for a time, put on hold, but it would not go away. The then-House leader for the Liberals, Mark Holland, eventually jerry-rigged an alternative process, with the approval of the opposition parties. It was based on a model that a previous Conservative government has used to investigate questions of the handling of Afghan detainees by the Canadian armed forces, which made it difficult for the opposition to resist. The new procedure involved the creation of a special, ad-hoc group of Parliamentarians from all parties who would, on swearing an oath of secrecy, have access to all the records related to security breaches at the NML. Their deliberations on what records should be released in Parliament were to be overseen by a panel of three jurists—an improvement over the Afghan detainee study—who would have final say on redactions and public release.
The process was agreed to in a MOU dated October 31, 2022. The ad hoc committee got down to work in June 2023 to review the documents, referred their findings to the panel of jurists in November 2023, and met with the jurists on January 31, 2024 to hear their findings. The panel of three judges exercised its authority and successfully pressed the government for maximum disclosure—good work judges!
The committee of Parliamentarians, for its part, concluded that:
“the [redacted] information appears to be mostly about protecting the organization [PHAC] from embarrassment for failures in policy and implementation, not legitimate security concerns, and its release is essential to hold the Government to account.”
Ouch.
Such are the consequences of over-classification. It’s a lesson the Government should heed in its battle with the Foreign Interference Commission over redactions to the public record.
I have previously set out (substack column of March 5) what I think are the main takeaways from this story.
The keys for me are the volatile mix of a very poor security culture at the National Microbiology Lab; the presence of two Chinese-born scientists who displayed shocking naivete about geopolitics and the national security ramifications of their work; a rapidly worsening climate in relation with China; an adamant CSIS determination that both scientists posed a future security risk that could not be mitigated; a hyper partisan environment in Parliament that sought scandal out of national security issues; and, finally, a lack of transparency on the part of the Government, overturned under duress and far too late in the day.
Did any good come out of this mess? Certainly not for Drs. Qiu and Cheng, whose pleas and promises to reform were set aside.
Mark Holland’s ad-hockery produced a win in the form of the eventual release of the document dump, but should never have been needed. Opposition distrust of Parliament’s own creation, the National Security and Intelligence Committee of Parliament, stymied what would have been a natural and faster track to public reporting, along with recommendations for action, which was never in the mandate of the ad-hoc Parliamentary group.
The panel of three justices deserves three cheers for their effective work in forcing the government to release records.
The Minister of Health (now Mark Holland) has promised that all the security problems revealed in this story have been fixed. We are to trust him on that one, though curiously, and somewhat at odds with his assertion, is the fact that the Prime Minister has turned to his National Security and Intelligence Adviser to review the whole case. Parliament, in the meantime, has been deprived (at least temporarily) of the opportunity to make more political hay on this story.
The worst outcome? On the far margins of the NML security breaches story lurks a conspiracy theory that links the NML to the Wuhan Institute of Virology, to shadowy Chinese military scientists, to COVID-19, to the theory that COVID originated in a lab leak from Wuhan. Maybe there is even dangerous Chinese gain of function research on bats, aided somehow by Canadian scientists. It’s all bat-shit, of course, but that never stops conspiracy theories.
And, for as long as the story reverberates, the NML will be forever linked to Chinese espionage, a story that never happened.
[1] Karen Pauls, CBC, “Canadian lab’s shipment of Ebola, Henipah viruses to China raises questions,” August 3, 2019, https://www.cbc.ca/news/canada/manitoba/ebola-henipah-china-1.5232674
[2] Karen Pauls, CBC, “Canadian scientist sent deadly viruses to Wuhan lab months before RCMP asked to investigate,” June 15, 202, https://www.cbc.ca/news/canada/manitoba/canadian-scientist-sent-deadly-viruses-to-wuhan-lab-months-before-rcmp-asked-to-investigate-1.5609582
[3] ibid
Thanks for this well written and easy to understand explanation.
Fascinating conclusion
I guess the FBI and other very credible sources are conspiracy mongers
I Agree, it must all be a conspiracy until it's true!
Federal Bureau of Investigation: The law enforcement agency “has for quite some time now”concluded that the virus originated accidentally from the Wuhan Institute of Virology, a Chinese lab that worked on coronaviruses, FBI Directory Christopher Wray told Fox News in February.