CSE budget authority tops $1 billion

Planned additions to CSE's fiscal year 2023-24 budget authority that were announced in the Supplementary Estimates (B), tabled in parliament on November 9th, will push the amount of money the agency is authorized to spend this year above the $1 billion mark for the first time in the agency's history.

The changes proposed would result in a $15,196,568 net increase in CSE's 2023-24 budget authority, boosting the total figure from $984,855,602 to $1,000,052,170. 

Notable increases include a $10,771,964 top-up for the ongoing operations of the Canadian Centre for Cyber Security; $1,592,171 for the Interim Quantum Safe Capability project; $1,500,000 for advertising programs; and $1,176,929 to "enhance national security through an academic research initiative" (part of a project originally announced in Budget 2022).

The full list of changes, including an increase in funding for statutory programs and various transfers between departments, can be found in the estimates document. 

Normally, there is a small shortfall between the amount of money CSE is authorized to spend in a fiscal year and the final amount actually spent during that year, so it is possible that the agency's spending ultimately will fall somewhat short of the $1 billion milestone this year. However, there will also be another opportunity for CSE to receive a boost in spending authority before the end of the fiscal year (the Supplementary Estimates (C), expected in February 2024), so the final figure is very much up in the air.

Cyber operations spending revealed

Meanwhile, there has been a change in the way CSE's past spending is reported in the online GC InfoBase. 

In previous years, CSE's spending was broken down into two major programs: Foreign Signals Intelligence and Cyber Security. But the spending for the most recent year for which numbers are available (FY 2022-23) is broken into four programs (click image for a better view): $336,912,405.10 for Foreign Signals Intelligence, $9,145,757.10 for Foreign Cyber Operations, $280,703,287.42 for Operations Enablement, and $304,486,444.45 for Cyber Security.

No explanation of these categories is provided, so we are on our own to interpret what they mean. I think what's going on is this: The Cyber Security program covers the spending of the Canadian Centre for Cyber Security (the Cyber Centre), as it did in the past. The other three programs cover the spending that used to be reported simply as the Foreign Signals Intelligence (SIGINT) program.

The change was probably made to enable spending on CSE's Foreign Cyber Operations, which comprise the Active Cyber Operations (ACO) and Defensive Cyber Operations (DCO) that were added to CSE's mandate in 2019, to be reported as a separate program. The tricky part is that these activities mostly use the same IT systems and knowledge base and even a lot of the same personnel as CSE's SIGINT activities. They also both benefit from the same administrative and security services, maintenance activities, and office accommodations provided by the agency. It looks to me like these common services are now reported as the Operations Enablement program. It's possible that certain common services also used by the Cyber Centre are listed in that program as well, just to make things more confusing, but I'm guessing that probably isn't the case.

The remaining two programs probably list just the resources dedicated specifically to SIGINT and to cyber operations, possibly just the direct personnel costs for the staff assigned to the SIGINT production chain on the one hand and those assigned to ACO/DCO activities on the other, as measured in full-time equivalents (FTEs). 

Whatever their exact composition, the two spending numbers associated with these programs, $336.9 million and $9.1 million, respectively, would appear to indicate that as of 2022-23 the Foreign Cyber Operations program was only about 1/37th the size of the SIGINT program. In FTE terms, that might translate to something like 60 people in cyber operations. (If more than just direct personnel costs are counted for these programs, the number of people involved would be lower, possibly as low as 30 for cyber operations.)

I would offer kudos to CSE for its willingness to see this information published, but frankly I'm going to wait until next year when we see whether this exercise in transparency continues.