Intelligence Commissioner’s 2024 annual report

Intelligence Commissioner Simon Noël released his 2024 Annual Report on 13 June 2025. In a welcome move, the redacted versions of the written decisions the Commissioner rendered on the seven ministerial authorizations (MAs) that were issued to CSE in 2024 were also released on the same day. 

I’ll be honest with you. This kind of document typically does not make exciting reading, and this year's collection is no exception. But if you’re interested in gradually building a more complete picture of what CSE is up to, then they do deserve a careful reading, because Intelligence Commissioner Noël, like Commissioner Plouffe before him, has been steadily – if ever so slowly – widening the window these reports offer into CSE’s activities.

In the following post, I’ll try to draw out some of the key points that I think we can learn from this year’s reports, as supplemented by information released by other watchdogs and by CSE itself. I’ve also updated and in some cases corrected the post I did last year on the Intelligence Commissioner’s 2023 annual report based on what we’ve learned this year.
 

The Intelligence Commissioner rendered decisions on seven MAs in 2024: three MAs for foreign intelligence activities, one for cyber security activities on federal infrastructure, and three for cyber security activities on non-federal infrastructures. One element of one of the foreign intelligence MAs was not approved. All the other MAs were fully approved.


FOREIGN INTELLIGENCE MAs

The one foreign intelligence MA that was not fully approved was the first MA the Intelligence Commissioner addressed in 2024, File 2200-B-2024-01, dated 4 April 2024. 

The part of the MA that the Intelligence Commissioner did not approve sought authorization for “a new class of activities, an example of which is enabling research activities.” These activities were to be “undertaken to support existing operational activities and to develop new capabilities.”

“While I recognize the importance of research for CSE to develop tools and capabilities in support of its mandate,” the Commissioner wrote in his decision, “the [Minister’s] conclusions are unreasonable for the following reasons: a) contradictions in the record lead to uncertainty in the Minister’s conclusions about how Canadian-related information will be treated; b) the Minister’s conclusions do not explain how Canadian-related information in [redacted] could meet the essentiality test; and c) the Minister’s conclusions do not demonstrate that he sufficiently understands the nature of the activities that fall within the class given the broadness the class.”

The Intelligence Commissioner’s annual report explained the decision this way: “The IC identified uncertainty around how Canadian-related information collected incidentally would be handled. Specifically, it was unclear whether CSE intended to retain all this information. If so, there was no indication how the retention of the Canadian-identifying information satisfied the legal test that it be “essential”. The IC found that the Minister’s conclusions did not reflect a full understanding of the activities due to incomplete information from CSE. As a result, the IC found the Minister’s conclusions unreasonable with respect to that activity.”

What specifically does all this mean? That kind of detail was – as usual – redacted, so let the guessing games begin!

Let's start with the subject of the MA itself. 

The Commissioner is not permitted to tell us what types of activity any of the three foreign intelligence MAs annually sought by CSE address, but I suspect that this MA is the one that covers CSE’s interception of telecommunications traffic carried by fibre optic cable systems, primarily at intercept points where the cables carry traffic into and out of Canada. 

A schematic representation of CSE’s “cable access” (or “special source”) collection can be seen on this depiction of the “Canadian Cyber Sensor Grid” from a CSE slide deck that was part of the Snowden leak in 2013. Note the two clapper board symbols showing Canadian intercept points at the cable connections – the thick black lines – between Canadian internet space and foreign internet space. 

In addition to intercepting targeted foreign communications, this program collects vast amounts of “unselected” metadata: all of the metadata that passes through CSE’s collection systems. Those systems are located principally on cross-border links to minimize the incidental collection of two-end Canadian traffic, but very large amounts of one-end-Canadian metadata are incidentally collected, and thanks to what has been called boomerang routing, a great deal of two-end-Canadian metadata also ends up collected. 

The metadata that CSE obtains in this and other ways has multiple important uses in the foreign intelligence program, but the Canadian-related data within it also has serious privacy implications, and CSE is required to limit how it retains and uses that data when it is recognized as Canadian-related.

It strikes me as possible that the Intelligence Commissioner’s concerns in this case were centred on a CSE proposal to use metadata containing Canadian-related information in the development of new analytical processes and/or target discovery techniques. 

As some of you will no doubt recall, the Snowden leaks revealed that CSE was doing exactly this kind of thing back in 2012 as part of the tradecraft development effort that became known as the “Airport Wi-Fi” project. That project drew on a two-week sample of metadata pertaining to personal devices that had used the wi-fi at Pearson airport, analyzing usage patterns at other locations the devices appeared at before and after appearing at Pearson in order to develop a method of characterizing unknown IP addresses that target devices might be detected at elsewhere in the world. Data centred on a Canadian location was chosen for development of the technique, CSE later explained, because “In order to develop an accurate model we needed a thorough understanding of a network associated with a public internet access point. We used data where the parameters of the network could then be validated through publicly available and geographically accurate information.” 

CSE’s lack of explicit legal authority at that time to collect and use Canadian-related metadata was one of the main issues raised during a court challenge of CSE’s activities launched by the British Columbia Civil Liberties Association in 2013. The subsequent passage of the CSE Act addressed this concern by giving CSE a Charter of Rights-compatible route to the collection and use of such data, bringing it under the purview of the ministerial authorization system. 

But for such activities to be approved, the Intelligence Commissioner has to agree that the Minister’s decision to authorize them is reasonable in light of the requirements spelled out in the Act. Was the collection, use, and uncertain disposition of Canadian-related metadata one of the concerns underlying the Commissioner’s decision not to approve the “enabling activities” part of the 4 April 2024 MA? 

As ever, we don’t know. But it does seem like a possibility.

Interestingly, the Intelligence Commissioner also removed a clause pertaining to enabling activities in the 2023 version of this MA. In that case, it seems possible that CSE sought approval for a much broader range of activities than simple research and development. (See here for more on the 2023 decisions.) But that could well have been part of the issue this year too: research activities were only cited as an example of the kinds of things potentially authorized by the rejected clause.


Radio monitoring and CNE

The remaining two foreign intelligence MAs issued in 2024 were both approved in full on 9 July 2024. 

The first, File 2200-B-2024-03, may be the MA that covers eavesdropping from Canadian diplomatic facilities and other kinds of radio monitoring activities. 

The Commissioners’ decisions sometimes include “remarks” to highlight issues that they feel deserve more attention. In many cases, these remarks apply across the board, not just to the specific MA decision in which they are made. In this decision there is an intriguing passage that may represent one of those more widely applicable comments. 

The Commissioner writes: 

“As indicated by the Minister, in some cases there are technical and operational reasons for the retention of certain types of information for a longer period, and even indefinitely. In this year’s Authorization, the retention period set out by the Minister for a particular type of information has been [redacted]. The rationale for [redacted] is straightforward: [redacted], its usefulness for foreign intelligence purposes goes [redacted]. I accept the Minister’s rationale.” 

Going out on a limb here, I would guess that this passage refers to the collection and storage of encrypted information that it is not currently practical to decrypt but which might become decryptable using quantum computers in the not too distant future. It could be referring to something completely different, of course, but encrypted material seems to me like a pretty good fit.

When CSE recently warned Canadians that other countries might be doing this to Canadian data, they called it the HNDL threat: “Systems protecting the confidentiality of information in transit over public network zones may be at risk earlier than expected due to the harvest now, decrypt later (HNDL) threat. A HNDL threat is when a threat actor intercepts encrypted information, stores it and then decrypts it in the future, when sufficiently powerful quantum computers exist. It is recommended that any systems susceptible to a HNDL threat be a high priority for migrating to [post-quantum cryptography (PQC)].”

Sounds like a reasonable thing for a SIGINT agency to be doing, now they mention it.
 

The second MA approved on July 9th, File 2200-B-2024-04, was probably the one that covers Computer Network Exploitation (CNE). 

The Commissioner’s decision for that MA points out that “even though the legislative framework (s 3, CSE Act) allows for Acts of Parliament to be contravened, the Minister sets out certain limitations – a red line – that CSE employees cannot cross when carrying out activities such as causing, intentionally or by criminal negligence, death or bodily harm to an individual or willfully attempting to obstruct, pervert or defeat the course of justice or democracy.” 

These same limitations are required by the CSE Act for activities conducted by CSE under the active and defensive cyber operations parts of its mandate, and it is appropriate that CSE’s CNE activities – which significantly overlap with cyber operations in terms both of targets and of tactics, techniques, and procedures – also be subject to them. 

These stipulations by the Minister were also noted by the Intelligence Commissioner in 2023, at which time he commented that he was “of the view that explicitly including these limits is necessary, as the CSE Act does not provide for them [in the context of foreign intelligence authorizations] and they do not appear in policy documents in the record.” 

Indeed, although the Intelligence Commissioner hasn’t advocated this, it would make sense to amend the CSE Act to give this red line the kind of permanence that changeable annual authorizations do not provide. 


Over-sharing CII

This year also brought news of a significant privacy failure in CSE's foreign intelligence activities. According to the Commissioner's annual report, “In 2024, CSE informed the IC that it had shared information collected under ministerial authorizations with international partners without removing Canadian identifying information” (CII).

Such mistakes are in fact made quite often, but this case seems to have been something more systematic extending over several years. 

The Commissioner encouraged CSE to be publicly transparent about the problem, and CSE did provide a brief account of the problem in its own annual report, which was released at the end of June. In that report, CSE explained that it had “identified an activity where, between 2020 and 2023, we shared some information with international partners without properly removing Canadian information that had been acquired incidentally when targeting valid foreign intelligence targets. Although the information remained safeguarded” – whatever that means in the context of giving it to the wrong people – “this activity did not meet CSE’s policy requirements. CSE acted quickly to contain the issue. Corrective actions included placing strict limits on information sharing and seeking assurances from CSE’s trusted partners that the shared information was deleted. We continue to update our policies and procedures to prevent reoccurrence.”

I’m guessing the information in this case probably was not metadata, because CSE’s international sharing of metadata was on hold between 2014 and January 2023 as a result of an earlier series of privacy snafus. That period covers most of the time during which this latest oopsie was underway. 

It also seems unlikely that the problem was in CSE’s end-product reports (EPRs), most of which are routinely shared with our partners. Mistaken releases of CII regularly do occur in EPRs, but they are individually corrected when they are discovered and are unlikely to be attributable to any single systematic cause.

So where did the problem occur? One possibility is that it lay in the collection CSE does on behalf of its Five Eyes partners using selectors supplied by those partners. Partner-supplied selectors are vetted by CSE and only applied to Canadian collection systems if they are compatible with Canadian intelligence priorities and are associated with foreign entities located outside Canada. But the incidental collection of Canadian communications or information about Canadians is still possible, and if Canadian information was not properly suppressed before the resulting intercepts were forwarded to the partners who requested them, that would represent a pretty significant privacy failure. 

Whatever its cause, the incident drew a bit of media attention following the release of the Intelligence Commissioner’s annual report, with CSE explaining itself using the same sparse sprinkling of details that it then published in its annual report about a week later.


CYBERSECURITY – FEDERAL INFRASTRUCTURE

One omnibus MA covering all cybersecurity activities that CSE conducts on federal government infrastructure is issued each year. In 2024, that MA, File 2200-B-2024-02, was fully approved by the Intelligence Commissioner.

There were still a couple of interesting items in the Commissioner’s written decision, however. 

Let her REP

One noteworthy section shed some light on an earlier point of contention. In 2022, Intelligence Commissioner Plouffe rejected an activity proposed in that year’s version of the MA as “outside the scope” of the federal cybersecurity provisions of the CSE Act. CSE chose to go ahead with the activity anyway, asserting that it could do it without an MA, and in 2023, Commissioner Noël, who had replaced Plouffe by that time, called on CSE to explain itself.  

The 2024 decision provides some additional explanation about the activity: the issue was the acquisition of publicly available information that might contain information for which Canadians or persons in Canada have a reasonable expectation of privacy (REP). 

CSE can acquire such information under a ministerial authorization (assuming appropriate privacy measures are taken), but those authorizations pertain only to information obtained from the federal infrastructure (or non-federal infrastructures designated as of importance to the government of Canada, in the case of non-federal cybersecurity MAs). CSE can acquire publicly available information from other sources without an MA, but only if it does not contain REP information.

CSE’s position seems to have been that it could in fact acquire information that might have an REP without an MA as long as the risk that REP information would be collected was small, measures were taken to eliminate REP information if it was found, and any infractions were reported. 

The Commissioner was unconvinced by this argument: “I want to reiterate ... that when CSE determines whether it may conduct an activity without a ministerial authorization, the CSE Act makes it clear that the primary concern is that no information in which Canadians have a reasonable expectation of privacy be collected. Thus, determining that the information was not [redacted] would not necessarily be sufficient. Publicly available information, as defined by section 2 of the CSE Act, cannot include information in which Canadians or persons in Canada have a reasonable expectation of privacy. As a result, although subsection 23(4) of the CSE Act allows CSE to incidentally collect information related to a Canadian or a person in Canada when carrying out activities under a cybersecurity authorization, publicly available information acquired for the purposes of section 17 of the CSE Act cannot incidentally contain Canadian-related information. Indeed, pursuant subsection 23(4), the lawful authority to incidentally collect Canadian-related information is limited to activities carried out under an authorization.”

Since CSE was not asking to carry out these activities under that or any other MA, the agency's decision to proceed with them was not actually under the Intelligence Commissioner’s jurisdiction, as the Commissioner himself acknowledged.

But the question of whether CSE is operating lawfully is a vitally important one, and if CSE needs this kind of data to perform its duties (and can apply appropriate privacy measures), then the answer surely is for the government to amend the CSE Act accordingly. This seems to be the path preferred by the Intelligence Commissioner, who commented, “I do not disagree with the Chief’s assessment that there is an incongruity in the CSE Act and that a legislative amendment would bring clarity to CSE’s activities in this sphere.”

The National Security and Intelligence Review Agency (NSIRA) also looked at this question last year, agreeing with the Intelligence Commissioner that “CSE cybersecurity activities that risk interfering with a reasonable expectation of privacy of a Canadian or person in Canada can only be authorized on federal information infrastructures and systems designated as important to the Government of Canada.”

NSIRA also called for amendment of the CSE Act, recommending “that section 27 of the CSE Act be amended to permit the Minister to authorize CSE to acquire information that is necessary for CSE's cybersecurity and information assurance aspect (but which may contain information that interferes with the reasonable expectation of privacy of a Canadian or person in Canada, or contravene an Act of Parliament), from sources other than federal information infrastructures and systems of importance to the Government of Canada.”

In its official response to NSIRA's recommendation, CSE declared itself in agreement with the review agency: "CSE agrees that legislative amendments would help clarify the ability of the Minister of National Defence to authorize CSE to acquire cybersecurity information from the GII that interferes with the reasonable expectation of privacy of a Canadian or person in Canada."

Whether the Carney government will put such an amendment before parliament of course remains to be seen. 

Excessive retentiveness on retention periods

The Commissioner’s decision also contains an interesting discussion of how CSE retains some of the information it acquires for a certain amount of time to enable it to “go back in time” when performing certain analyses. 

Unfortunately for those of us who like the details, the length of that retention period was redacted from the document: “[T]he Minister explains CSE must be able to retain information that has not been identified as useful for a [redacted] period. A [redacted] assessment period is needed for CSE to analyse the information in the case of a cyber event and examine its evolution over time.... As explained in the record, keeping the information for a [redacted] period allows CSE to compare newly discovered vulnerabilities against its unassessed information and determine whether they exist within the federal systems. The record provided an example where the ability for CSE to “go back in time” enabled CSE analysts, following an identified vulnerability within the impacted federal systems to identify the threat and take immediate mitigation actions.”

As you might guess, I’m not persuaded that details like CSE’s data retention period really need to be redacted. But, of course, it’s not my call. 

That said, if it actually is important to keep information like that secret, maybe officials ought not to provide it to parliamentary committees in open testimony.

Like this: “For data that are not particularly useful, the retention period is a maximum of one year.” (Richard Larose, Senior Technical Advisor, CSE, 8 April 2024)

Or this: “In a cyberdefence operation, if information gathering impacts Canadians’ privacy, the information may be kept for a maximum of one year, unless it is deemed essential for the purposes of the cyberdefence operation.” (Intelligence Commissioner Simon Noël, 18 November 2024)

In my opinion, if information is already out there on the public record, there is no good reason to continue redacting it from documents like the Commissioner’s written decisions.


CYBERSECURITY – NON-FEDERAL INFRASTRUCTURES

Finally, we arrive at the three MAs issued for cybersecurity activities on non-federal infrastructures.

The first of the non-federal MAs to be approved, File 2200-B-2024-05, is an intriguing one. The need for the Cyber Centre’s assistance was evidently urgent, so the Intelligence Commissioner approved the MA immediately and issued his written reasons for the decision later. 

Other than the fact it was approved in 2024, all dates associated with this MA were redacted from both of these documents, presumably to make it more difficult for folks like us to correlate it with publicly known events. But of course this is tantamount to erecting a flashing neon sign announcing that the MA probably is correlatable with one or more publicly known events, so let’s give it a go.

In its most recent annual report, CSE referred in passing to “provinces and territories with access to our sensor services,” confirming – perhaps inadvertently – that the agency has begun providing cybersecurity services to provincial as well as territorial governments. Such services are only available via MA. Since the three territorial governments are already all accounted for by the MA approved on 15 November 2024 (see below), it would seem we’re looking for one or more provincial governments for this one.

That being the case, the government of British Columbia seems like the most obvious candidate for this year's mystery guest. 

As this CBC news report explains, the B.C. government became aware of a series of breaches or attempted breaches of its IT systems in April 2024:

“[T]he B.C. government first began investigating an attempted breach of its systems on April 10. On April 11, the cybersecurity incident was confirmed and reported to [the Cyber Centre (CCCS)], and the government also notified Microsoft's Detection and Response Team (DART) of the suspected breach attempt. A few weeks later, on April 29, [B.C. public service head Shannon] Salter said the same threat actor was involved in additional activity on government systems, and public service workers were told to change their passwords. On May 6, another cyberattack was identified, with Salter saying the same threat actor was responsible for all three incidents. Two days later, B.C.'s premier went public with news of the attack, after the CCCS told officials that safeguards had been put in place that would allow the public to be notified.”

(My thanks to a colleague who will remain unnamed for reminding me of this case.)

I am given to understand that one or two other, not publicly named, provincial governments also suffered serious intrusions last year, so it is possible that more than one government is covered by this MA. But given the speed with which the MA was processed, unless the requests for help were almost simultaneous, it seems less likely to me that multiple governments were involved. Time may eventually tell.
 

The second of the 2024 non-federal cybersecurity MAs, File 2200-B-2024-06, was approved on 22 October 2024. 

This MA is the fourth in a series of MAs first issued in 2021. Last year, I thought this extended series of renewals was evidence of a proactive, preventive intervention on the part of the Cyber Centre, not a reaction to a specific cyber threat. 

But this year’s written decision makes it clear that it is in fact a reactive activity – just one that is taking an unexpectedly long time to conclude.

When he approved the third iteration of this MA in 2023, the Commissioner thought that one would be the last one: “Based on the Minister’s conclusions in last year’s authorization, it was my understanding that following the completion of the [redacted] outstanding recommendations – which he anticipated would be implemented in 2024 – CSE’s support would no longer be required.”

But that turned out not to be the case. “The Minister explains that although the non-federal entity has made substantial progress with the implementation of CSE’s recommendations to improve its cybersecurity posture, there is continued presence of malicious activity on the system and some of the key recommendations remain to be completed.”

“The length of time taken is largely attributable to the procurement process,” the Commissioner reported.

Given this record and the sophistication of the threats facing it, Commissioner Noël questioned whether the entity receiving assistance would ever be able to look after its own security: 

“[The Minister] writes that “[t]he commercially available safeguards put in place by [the non-federal entity] are not sufficient to identify and counter persistent and increasingly complex cyber threats.” This raises the question of whether commercially available safeguards will ever be sufficient on their own. While last year’s authorization recognized that there would be an eventual cessation of CSE’s cybersecurity activities on the non-federal entity’s system – at the time expected in 2024 – this year’s record does not indicate when the outstanding recommendations might be completed, or suggest that once the recommendations are fully implemented, CSE’s presence will no longer be required.”

It will be interesting to see if a fifth MA is issued for this entity later this year.

We still don’t know what company or even type of industry is involved in this case, although a telecommunications company certainly seems like a plausible possibility. 

In June 2025, CSE revealed that it was “aware of malicious cyber activities currently targeting Canadian telecommunications companies. The responsible actors are almost certainly PRC state-sponsored actors, specifically Salt Typhoon.” 

Whatever the identity may be of the entity receiving assistance under this MA, the Intelligence Commissioner believes that CSE’s assistance to it has been extremely valuable, and for the second year in a row he made a point in his decision of urging CSE to tell the public the story of its intervention when security considerations make it possible to do so. 


The last of the three non-federal cybersecurity MAs issued in 2024, File 2200-B-2024-07, was approved on 15 November 2024. This is the MA that covers cybersecurity assistance to Canada’s three territorial governments, those of the Northwest Territories, the Yukon, and Nunavut. The first version of this MA was issued in 2023 (an earlier MA covering just the NWT government was issued in 2022), but the 2024 MA was the first in which the identities of these governments were left unredacted.

(They weren’t redacted this year presumably because CSE had already identified them in its 2023-24 annual report, released in June 2024.)

It seems likely to me that Cyber Centre support to these governments will continue for the foreseeable future, and that long-term support for a number of provincial governments may also become an ongoing thing.

But the Commissioner has laid down an interesting marker in this respect: “As mentioned in my reasons, CSE’s continued presence has a preventative, or proactive, objective. However, I wish to be clear that my conclusions do not entail that a designation as a non-federal entity of importance to the Government of Canada, in itself, is sufficient to support the Minister’s conclusions that a cybersecurity authorization would be reasonable if deployed for a preventative objective.... A cybersecurity authorization pursuant to section 27(2) of the CSE Act is issued for the purpose of helping to protect a non-federal entity’s system from mischief, unauthorized use or disruption. In contexts where cybersecurity activities are carried out for preventative or proactive purposes, I am of the view that the Minister nevertheless needs to establish a factual basis for CSE’s assistance.”

He made a similar argument in his 22 October 2024 decision, adding: “Cybersecurity authorizations are intrusive on privacy interests given the necessary collection of information in which Canadians have a reasonable expectation of privacy – even though the collection is ancillary to safeguarding the system. I consider the degree of intrusion even higher in the case of cybersecurity authorizations in support of non-federal entities because CSE – a Government of Canada agency – is collecting information it would otherwise not have access to. And of course, the intrusion is exacerbated the longer it lasts. It is therefore important that the rationale for continuing this ancillary collection over an extended period of time is sufficiently considered and justified in the Minister’s conclusions.”

The argument, I think, is that there is a trade-off that must always be weighed between the benefits of providing cybersecurity assistance and the value of minimizing government intrusion into the reasonable expectation of privacy of Canadians and persons in Canada.

Although the number of non-federal cybersecurity MAs may still be too low to draw definitive conclusions, there seems to be a trend away from short-term, reactive responses towards longer-term, proactive activities on CSE’s part, especially with respect to other levels of government. It will be interesting to see if this trend continues – and how this Intelligence Commissioner and future ones respond to it.


CSE NUMBERS DIFFER

CSE’s recently released 2024-25 annual report provides statistics that differ slightly from those reported by the Intelligence Commissioner in his annual report. According to CSE, “This year, CSE submitted 8 authorizations to the Intelligence Commissioner and all were approved.” Non-federal cybersecurity MAs accounted for four of the authorizations.

Meanwhile (as noted above), the Intelligence Commissioner reported that he considered seven authorizations in 2024, six of which were fully approved and one of which was only partly approved. Non-federal cybersecurity MAs accounted for three of the authorizations.

The primary explanation for these discrepancies almost certainly lies in the fact that the two sets of statistics cover somewhat different time periods. The Intelligence Commissioner reported on calendar year 2024, while CSE reported on fiscal year 2024-25, which ran from 1 April 2024 to 31 March 2025. 

A non-federal cybersecurity MA that was approved in the first quarter of 2025 would appear in CSE’s statistics but not those of the Intelligence Commissioner, thus accounting for the different totals.

If there was indeed a new non-federal cybersecurity MA approved in early 2025, it could be a sign that one or more additional provincial governments are now receiving federal cybersecurity assistance. 

Alternatively, the assistance might be going to another telecom victim of Salt Typhoon. CSE’s recent bulletin about Chinese state-sponsored actors revealed that “Three network devices registered to a Canadian telecommunications company were compromised by likely Salt Typhoon actors in mid-February 2025.” That would fit pretty well with a new MA in the first quarter of 2025. A media report later identified the unnamed company cited in CSE’s bulletin as Rogers. 

Next year we should get a better sense whether the new client is a company or a government. 

While the difference between CSE's overall numbers and those provided by the Intelligence Commissioner seems easily explainable, CSE's claim that all the MAs submitted to the Intelligence Commissioner in 2024-25 were "approved" is less easy to explain. The decision that the Intelligence Commissioner issued on 4 April 2024 – a date that falls unambiguously into CSE's fiscal year 2024-25 – was only a partial approval: one section of that MA was very much not approved. I can only assume that CSE made a mistake here: they can't really think an outcome like that can be classified as "approved". 

  

Budget blowout: CSE promised almost 50% increase

The Supplementary Estimates (A) for fiscal year 2025-2026, tabled on 9 June 2025, indicate that the Carney government plans to boost CSE's budget to $1.591 billion in this fiscal year. That's nearly 50% higher than the agency's spending in 2024-25, the fiscal year just completed, which according to current estimates was about $1.1 billion (the exact number won't be known until later this year). 

As the chart below shows, CSE's budget has been on an upward trajectory almost continuously since the late 1990s. The agency's proposed 2025-26 budget is eight times as large as it was at the end of the 1990s — after adjusting for inflation. 

(The spike in 2014-15 was the result of a one-time $300-million payment made when CSE's main headquarters complex, the Edward Drake building, was completed.)

The initial impetus for the agency's explosive growth was the spending burst that came in the wake of the 9/11 attacks in the U.S., as Ottawa geared up for a role in the Global War on Terror (TM).

But what kept the money flowing was the emergence of the Internet and ubiquitous computing, which created a huge new target surface for intelligence gathering, corresponding new vulnerabilities that required improved cyber security efforts in Canada, and, more recently, an expanding arena for covert action through active and defensive cyber operations in the Global Information Infrastructure.

That 25-year process has already seen CSE grow from around 900 employees in the 1990s to more than 3,500 in March 2024. The current number is undoubtedly even higher (we should get an update to March 2025 in the next few days [Update 28 June 2025: The March 2025 total was 3,841]): in October 2024, CSE Chief Caroline Xavier revealed that the agency was on track to grow to between 4,000 and 5,000 employees over the next few years. 

With this latest budget increase, that number seems sure to go even higher.

CSE was already slated for a budget increase in the Main Estimates, which were tabled on May 27th and promised the agency $1.221 billion. The Supplementary Estimates (A) added $370 million to that total, describing it not particularly helpfully as "Funding for digital tools and capabilities." 

Since hiring a lot of new staff takes time, if CSE does manage to spend the full $1.6 billion now promised to it, a lot of that new money will likely have to go to equipment purchases or upgrades, which does seem broadly consistent with the description provided in the Supplementary Estimates.

A possibly related question is whether the $1.6 billion number will turn out to be a spike, like the one in 2014-15, or the start of a new, accelerated growth phase for CSE. 

With Ottawa apparently seized with determination to shovel defence dollars out the door as fast as possible (and CSE spending evidently counting as part of defence spending broadly defined), I expect this year won't be the end of the agency's growth, but I do think it likely that this new phase will slow to somewhat more "normal" levels of growth in future years.

We'll have to see how it all plays out.

 

Twenty years of blogging

Twenty years ago today, on May 4th, 2005, I wrote the first post on Lux Ex Umbra, titled Canada, SIGINT, and this blog.

If we count the long-since-departed website I built in the mid-1990s, which was also called Lux Ex Umbra, I've been posting online on this subject for closer to 30 years. Whew.

If you're thinking of writing a blog on an extremely niche topic, I wouldn't necessarily advise you to choose one for which most of the likely audience is permanently bound to secrecy. It does not make for a highly interactive experience.

But the process of writing it has helped me to better understand at least a little of what goes on in the Canadian SIGINT program and sometimes eventually to correct some of my many mistakes and misconceptions, so it has been useful to me.

I hope that whatever readership I may have had here over the years has also found it useful, informative, or at least occasionally interesting.

It has been fun. Yes, I do have a strange idea of fun.

Health and other circumstances permitting (so far, so good), I expect to continue posting here for some time to come.

 

2023-24 was CSE's first billion-dollar year

The Public Accounts of Canada 2024, tabled in parliament on December 17th, confirm that fiscal year 2023-24 was CSE's first billion-dollar year. The agency spent $1,010,795,977 during the fiscal year that ended on March 31st, 2024.

CSE has been growing almost continuously since 2001. Its 2001-02 budget was originally projected to be $100 million, or about $173 million in today's dollars — just over one-sixth of its 2023-24 spending. That's probably about what the agency would have ended up spending that year had it not been for the 9/11 attacks, which completely changed the budget picture. The actual amount CSE spent that fiscal year was $189 million, or about $327 million in 2024 dollars.

But while the "Global War on Terror" was responsible for the initial boosts in CSE's spending in the years that followed, what really kept the money taps flowing was the explosive growth of the Internet and ubiquitous computing, which created a vast new source of intelligence ripe for the gathering, new forms of vulnerability that required a greatly expanded cybersecurity response, and, more recently, a global arena for cyber-enabled operations.

It's that transformation that has kept CSE growing for more than two decades and that keeps it growing still. 

The Supplementary Estimates (B), 2024-25, tabled in November, boosted CSE's fiscal year 2024-25 budget authority to $1,126,635,267. 

We'll have to wait for next year's Public Accounts to see what the actual amount that is spent this year turns out to be, but even further growth is in the plan. In October, CSE Chief Caroline Xavier stated that the agency expects to have more than 4,000 — almost 5,000 — employees by the time its currently approved growth is done. As of 31 March 2024, the agency had 3,529 employees. 

 

Spending by program

Little information is released about the details of CSE's spending, but the GC Infobase does provide a breakdown of that spending into broad programs that is updated every year after the Public Accounts come out. 

Originally, two major programs were listed: Foreign Signals Intelligence and Cyber Security. But for the past two years, CSE's spending has been broken into four programs (click image for a better view). In 2023-24 it was: $356,782,293.49 for Foreign Signals Intelligence, $11,932,939.62 for Foreign Cyber Operations, $291,671,819.01 for Operations Enablement, and $350,408,924.73 for Cyber Security.

(See here for further discussion of these categories.)

Of particular interest is the information on CSE's Foreign Cyber Operations (FCO) program, under which the agency executes its active cyber operations and defensive cyber operations mandates. This is one of the few windows we have into the scale of that program. 

In 2022-23, the first year for which these data were provided, $9,145,757.10 was spent on the FCO program. The $11,932,939.20 total recorded for 2023-24 is 30% higher than 2022-23's total. It still accounts for just 1.2% of CSE's overall budget, however.

In personnel terms, that might translate into as many as 90 full-time equivalent (FTE) employees in the FCO program, although it could be as few as 40 if administrative, accommodation, and other support costs are included in the spending total. These are very small numbers in comparison to CSE's overall staff, but — guessing wildly here — CSE may not need more than a few hundred operators in the FCO program, at least in the near future. Even at its current size, the cyber operations program may be approaching the scale where CSE can contemplate sustained, simultaneous operations against at least a couple of objectives, particularly if conducted in cooperation with other partners.

On that question, CSE has acknowledged that it takes part in, and even sometimes leads, combined cyber operations with international partners, and it also has domestic partners, most notably the Canadian Armed Forces' Cyber Command (CAFCYBERCOM).

CAFCYBERCOM's capabilities are themselves still nascent, but for a decade now CSE and the armed forces have been slowly building the capacity to conduct combined cyber operations through their Combined Cyber Unit (CCU), a joint CSE-CAF entity that can operate under CSE authorities, CAF authorities, or a blend of the two.

It will be interesting to see how CSE's (and the CAF's) cyber operations capabilities evolve as time goes on.

The spies who came south from the cold: CSE's 1980s renaissance

The following is the presentation I made on day one of the Canadian Intelligence History at the Crossroads conference, held in Ottawa on 3-4 October 2024.

(Image credit: Charles Stankievech)

The birth of the Canadian Security Intelligence Service dominated the headlines in the mid-1980s, but Canada’s signals intelligence agency, the Communications Security Establishment, underwent a quiet rebirth of its own during the same years, shifting from an almost exclusive focus on the Soviet north and adding an array of new collection and processing capabilities to increase the agency’s value both to the Canadian government and its intelligence partners.

 

From its beginning, CSE worked in close integration with the UKUSA intelligence partnership, now commonly called the Five Eyes, in particular with its much larger U.S. and U.K. members. By 1957, the Canadian SIGINT program was focused almost entirely on Soviet long-range, high-frequency radio communications in the Arctic and the northern Soviet Union. This material provided the main Canadian contribution to the allied foreign intelligence partnership, in return for which we got access to a very wide range of U.S. and U.K. intelligence reporting.

You can read more about the development of CSE’s Arctic role in Wesley Wark’s 2020 article “Favourable geography:Canada’s Arctic signals intelligence mission” in the journal Intelligence and National Security.

On this map you can see the radio intercept stations that were operated for CSE by the Canadian Forces Supplementary Radio System during the 1970s and into the 1980s: Leitrim here in Ottawa, Gander in Newfoundland, Masset in Haida Gwaii, B.C., plus two stations in the Far North, Inuvik and Alert, with Alert being the most important of the collection sites.

The Supplementary Radio System also operated a radio direction-finding site in Bermuda, used mostly to monitor the movements of Soviet missile subs and other maritime operations, which David Charters will be talking about later today.

This division of effort worked well for CSE, but as time went on HF radio declined in importance in Soviet communications, leading to allied dissatisfaction with the scale of Canada’s already small contribution. There was also concern within the Canadian government about a lack of political and economic intelligence on topics of special interest to Canada that were not well covered by allied reporting.

Some efforts were made to diversify CSE’s collection and processing in the 1970s, but only minor progress was made, due to a number of factors, including very tight budget constraints and lack of strong Cabinet-level engagement.

[Parenthetic comment I didn't have time for in the conference presentation: Not all diversification efforts were unsuccessful. The image shows a Soviet troposcatter communications site. Although more isolated locations and mobile emitters such as ships and aircraft continued using HF radio, troposcatter systems replaced a lot of Soviet communications in the far north. This posed a problem for CSE as these systems couldn't be monitored by Canadian intercept stations. But they could be monitored by the geosynchronous SIGINT satellites that the U.S. began launching in the late 1960s, and in 1971 CSE was brought in to help process the take from those satellites.] 

Things started to improve for CSE in the early 1980s with the start of the PILGRIM program, which picked up from an earlier experimental intercept site in Canada’s Moscow embassy that had operated for a couple of years starting in 1972.

However, the big change came in 1984, when CSE cut a deal with the Department of National Defence and Treasury Board to close the intercept site at Canadian Forces Station Inuvik but continue funding the station’s 276 person-years for use elsewhere in the SIGINT program, mostly at CSE itself. DND, which was receiving large annual budget increases of its own by this time, also agreed to provide a small injection of new capital funding for CSE and the SRS.

This enabled CSE to propose a wide-ranging set of improvements to its collection and processing programs, which it put forward in its Strategic Overview for the Cryptologic Program, 1985-1988, presented to the Interdepartmental Committee on Security and Intelligence in March 1984.

(Huge thanks, by the way, to the Canadian Foreign Intelligence History Project for obtaining the release of this document and many of the others relied upon for this presentation.)

The plan was designed to help CSE address three main challenges: to broaden its collection focus to provide the government with more domestically produced economic and political intelligence while continuing to provide defence-related intelligence; to improve CSE’s contribution to the UKUSA intelligence pool and thus preserve our access to the vast output of our UKUSA partners; and to modernize CSE’s collection and processing capabilities, maintain compatibility with partner systems, and keep up with changing communications technologies used by SIGINT targets.

Presented with an improvement program requiring no new budget allocations, the committee had few objections. Each of the separate elements of the plan was considered individually by the committee, however, with the proposal to purchase a supercomputer approved immediately, other elements approved during the summer, and still other, longer-term, parts dealt with over the next several years, with some of the latter delay caused by the need to complete policy reviews initiated by the new Mulroney government after the September 1984 election.

The first element of plan that ICSI approved was Project ELEVATOR, the purchase of a Cray X-MP supercomputer and hiring of the staff needed to revitalize CSE’s cryptanalysis, or codebreaking, program.

This is a photo of that computer, which was the most powerful computer in Canada at the time of its purchase. Today the smartphone in your pocket would leave it in the dust, but when it was received in 1985 it revolutionized Canada’s cryptanalytic capabilities.

Canadian participation in ECHELON, the UKUSA program to monitor traffic on commercial satellites, was given initial approval in June 1984. Legal concerns, possibly related to the potential for inadvertent collection of Canadian private communications, delayed the start of monitoring operations, but by 1988 those concerns had been resolved.

This photo shows Leitrim in 1991. You can see the radomes covering the ECHELON satellite dishes at the top of the image.

A redacted part of CSE’s Strategic Overview seems to indicate that a different site was originally proposed for this program. I think that site may have been in Alberta, but that’s just a guess, and it may well be wrong. I submitted an Access to Information request on this question just over a year ago, but any of you familiar with that process can guess how that’s going. Still waiting.

 

PILGRIM was the program to operate intercept sites in Canadian diplomatic facilities. Approval to conduct surveys of potential sites seems to have been granted around October 1981. According to former CSE employee Mike Frost, the first permanent site began operations in New Delhi in 1983. (That’s the High Commission shown here).

All discussion of PILGRIM was redacted from the released version of CSE’s Strategic Overview document, but there is little doubt that additional sites figured as part of CSE’s plan, and other documents confirm that expansion of the program got the go-ahead no later than 1987.

MADRIGAL was the covername for foreign intelligence collection in Canada under s.16 of the CSIS Act. This of course depended on the passage and then entry into force of that Act, which happened at the end of August 1984.

This was a program that CSE had long pushed for. A tri-ministerial memorandum of understanding on how to initiate such operations was completed in 1987, but according to CSIS’ original watchdog, the SIRC, actual operations took a while to get off the ground, with little activity before the 1990s.

None of the foregoing meant that Canada was abandoning HF radio collection in the north, and the Strategic Overview plan also contained a program, PORCUPINE II, to modernize and streamline conventional radio collection at the intercept sites and ensure its compatibility with UKUSA partner systems.

Approved in August 1985, the program was expected to improve collection and compensate for the closure of Inuvik while generating an additional savings of 22 person-years.

Largely as a result of the Inuvik bargain, CSE was able to grow from around 600 employees at the beginning of the 1980s to around 900 by the end of the decade.

This included an increase in the SIGINT part of the organization from around 460 to around 700, enabling the agency to hire more analysts to cover its broader range of targets, begin limited 24/7 operations (mostly, I think, related to real-time processing of Soviet air activities facilitated by PORCUPINE II [and also by the High Arctic Data Communications System]), and staff the Client Relations Officer program that was used to relay SIGINT directly to senior departmental consumers.

Here's an ad CSE placed in the Ottawa Citizen in 1986 looking for Transcriber Analysts with “Slavic, Oriental, Middle Eastern or Romance language” abilities, reflecting the agency’s growing range of targets.

Some of the Inuvik person-year savings were retained by the military and used to create 771 Communications Research Squadron, which stood up in October 1987. Rather than serving at a intercept site, this unit was assigned to the Sir Leonard Tilley Building, CSE’s headquarters at the time, and its members were integrated into CSE’s SIGINT sections, boosting the total number of SIGINT personnel working within the agency to around 800 by the end of the decade – an increase of nearly 75% over the beginning of the 1980s.

To accommodate all these people, C Wing, the windowless concrete structure on the right, was added to the Tilley Building. Construction began in 1989 and was completed in 1992. I took this photo in 1990.

As most of you probably know, CSE left the Tilley Building in 2014-15, and — perhaps less well known — the newly renovated C Wing is soon to be the new home of the Government Operations Centre.

All of this was completed just around the time the Cold War ended, taking with it many of CSE's old Soviet targets.

Much of interest continued going on in the former Soviet space, of course, but CSE might well have shrunk significantly had it not already built the capability to monitor a much wider array of targets around the world.

Instead, the agency’s budget and staffing remained fairly static over the 1990s, declining only slightly, even as virtually every other department and agency in Ottawa suffered sharp reductions.

 

Since the 1990s, and particularly since 9/11, CSE has been growing almost continuously. It is now four times the size it was at the end of the 1980s. Four times!

The agency’s operations are increasingly cyber-focused, but not everything has changed. The satellite dishes are still in place. The embassy sites remain. S.16 operations continue. And even the radio intercept sites are still in operation, although remotely operated from Leitrim.

The red line on this satellite photo shows a 1-km-long Beverage antenna at the Masset intercept station. DND recently built a boardwalk to facilitate maintenance of this antenna, showing that it is still in active service.

An antenna like this is very highly directional, so it is not too hard to figure out what it’s listening to. The long-range radio transmissions it collects emanate from northern Russia.

I mention all this to bring things full circle. CSE did come “south from the cold” in the 1980s, and the changes since then have been even greater. But even with all the change that has happened, the Arctic mission was never abandoned, and it still goes on today.

 

Update 28 January 2025:  

As this image shows, the original four satellite monitoring dishes at Leitrim were removed sometime in late 2023 or early 2024. [Update 1 February 2025: The dishes were removed in January/February 2024.] There are still three uncovered dishes at the station — later additions — that may be involved in SIGINT activities, but this change seems to indicate a significant decline in Leitrim's role in satellite monitoring.