Thursday, December 08, 2022

NSICOP report on Global Affairs Canada

On November 4th, the National Security and Intelligence Committee of Parliamentarians (NSICOP) released the public version of its report on the security and intelligence activities of Global Affairs Canada (GAC), otherwise known as the Department of Foreign Affairs, Trade and Development.

There's a lot of new information in the report about GAC's role in the Canadian intelligence community as overseer, facilitator, collector, assessor, and consumer of intelligence. It's well worth reading.

In the following, I'll focus on what the report says about how Global Affairs works with the Communications Security Establishment.

 

GAC–CSE relationship

On page 24 (PDF page 33), NSICOP describes the overall relationship between CSE and Global Affairs:

GAC's collaboration with CSE ... dates back to the creation of CSE in 1946. GAC has long been a client of CSE's foreign intelligence collection ***. While GAC has had a formal consultation role for some of CSE's most sensitive activities since 2002, the coming into force of the CSE Act in 2019 provided GAC a more significant role in CSE's new authorities for cyber operations.

(NSICOP uses "***" to indicate where information that was in the classified version of the report has been redacted.)

GAC and CSE formalized their cooperation with the signing of a General Framework Agreement in 2009. The agreement recognized the organizations' cooperation in the collection of foreign intelligence, their long-standing collaboration on the implementation of Canada's Export Control legislation, and their response and handling of cyber incidents targeting GAC. (p 24/PDF 33)

Take note of that mention of "the organizations' cooperation in the collection of foreign intelligence"; we'll return to that point later on.

 

Computer Network Exploitation

Next we get a quick look at GAC's oversight of CSE computer hacking operations used to collect intelligence from information technology systems and networks, more formally known as Computer Network Exploitation (CNE).

All mentions of CNE are redacted from NSICOP's report, but it is clear from the context that CNE is the subject. (For more fun with CNE redactions, see here.)

The first formal agreement on consultation between CSE and GAC concerned the agency's *** activities. These activities use *** for the purpose of collecting foreign intelligence. In 2002, GAC and CSE signed a memorandum of understanding under which CSE would inform GAC prior to undertaking its most *** outside of Canada. (p 24/PDF 33)

The CNE memorandum of understanding was signed by the Minister of National Defence on 23 April 2002.

The agreement also granted GAC a role in challenging CSE's conduct of certain activities ***. While the 2002 memorandum of understanding remains in place, the two organizations streamlined elements of the agreement in 2015. (p 24-25/PDF 33-34)

GAC's role is to make sure the potential risks/rewards of CNE operations are assessed in the context of Canada's overall foreign policy.

 

Foreign relationships

CSE is also required to consult GAC before entering into any arrangements with foreign states or institutions. Since the 2019 entry into force of the CSE Act, it has been a statutory requirement that the Minister of National Defence consult the Minister of Foreign Affairs before approving such arrangements.

Given the recent nature of this authority, CSE has not consulted GAC prior to entering into such an arrangement at the time of writing. (p 25/PDF 34)

 

Defensive cyber operations (DCO)

The CSE Act also requires the Minister of National Defence to consult the Minister of Foreign Affairs prior to issuing an authorization for defensive cyber operations (DCO). DCOs are cyber operations designed to protect Canadian government networks or systems designated as being of importance to the government.

The Minister of National Defence issued the first authorization for defensive cyber operations in *** 2019. CSE officials developed this authorization in consultation with GAC. (p 26/PDF 35)

Although redacted here, the date of the authorization was 5 September 2019, as reported by NSICOP in its February 2022 cybersecurity report (p 77/PDF 89).

The November report provides some additional details on GAC's contribution:

At the operational level, GAC provides foreign policy risk assessments for all of CSE's planned defensive cyber operations. As part of its assessment of the proposed operation, GAC considers potential implications for Canadian interests, the operation's compliance with international law and cyber norms, alignment with broader foreign policy interests, the nature of the target (***) and whether the operations ***. (p 26/PDF 35)

Also interesting is this bit of news:

Between *** and *** , CSE planned but did not conduct any defensive cyber operations, because separate defensive cyber measures taken by CSE obviated the need for the planned cyber operations. (p 26/PDF 35)

It would be even more interesting, of course, if unredacted dates were provided. Fortunately, NSICOP's February 2022 report (p 96/PDF 108) did provide that information, stating that no DCOs were conducted during the first two DCO authorization periods (i.e., from September 2019 to August 2021).

That report also informed us that, "in the first year, normal cyber defence activities successfully mitigated the threat and obviated the need for a separate operation and in the second year, planned operations had not proceeded to the operational stage." (p 96/PDF 108)

It would be interesting to know if any DCOs have yet been conducted.

 

S.16 activities

Under s.16 of the CSIS Act, CSIS can collect foreign intelligence "within Canada" on request of either the Defence Minister or the Foreign Affairs Minister. This might entail monitoring the communications of an embassy in Ottawa, for example.

CSE often helps with technology, processing, and reporting of the intelligence that results from s.16 collection, and GAC plays a role as a requestor, assessor of foreign policy risk, and intelligence client.

In 2008, officials from participating organizations introduced a formalized governance model [for the s.16 program], which included a requirement to assess potential subjects against criteria linked to Canada's intelligence priorities and a permanent oversight committee structure (the *** Committee) with the responsibility to evaluate and endorse section 16 rationales before they are submitted for approval to the relevant ministers. (p 38/PDF 46)

All information about the committee, including its name, is redacted from NSICOP's report.

By contrast, a 2015 report by OCSEC, CSE's first watchdog agency, described the committee structure in detail, and this information was later released mostly unredacted to reporter Colin Freeze via Access to Information request A-2015-00082.

Some of the details may have changed since then, but if the information was releasable at that time, why not now?

 

Active cyber operations (ACO)

The CSE Act also "allows CSE to conduct active cyber operations to degrade, disrupt, influence or interfere with the capabilities or intentions of foreign entities." (p 41/PDF 49)

In recognition of the foreign policy implications of these activities, the Act stipulates that the Minister of National Defence may issue this authorization only if the Minister of Foreign Affairs has requested or consented to its issue. (p 41/PDF 49)

Note that this differs from DCOs, which require only consultation with the Foreign Affairs Minister.

"The Minister of National Defence issued CSE's first authorization for active cyber operations in 2019" (p 41/PDF 49), i.e., shortly after the CSE Act came into force.

The 2019 Annual Report (p. 25) of the National Security and Intelligence Review Agency (NSIRA) also confirmed that an ACO authorization was issued that year.

But NSICOP's report goes on to provide considerably more information than was released previously:

Between 2019 and 2020, CSE planned four active cyber operations and carried out one. (p 41/PDF 49)

The ACO that was carried out sought to "disrupt the activities of terrorists and violent extremists." (p 41/PDF 49)

The three ACOs not conducted sought "to disrupt foreign cyber threats to the 2019 federal election"; "to counter the dissemination by specific terrorist groups of extremist material on-line"; and "to mitigate threats posed by foreign cybercriminal groups targeting Canadians". (p 41-42/PDF 49-50)

The election-related ACO was not conducted "because no specific state-led operations were detected", while the other two did not get done "due to operational restrictions arising from COVID". (p 41-42/PDF 49-50)

(For more on the effect of the COVID-19 pandemic on the Canadian security and intelligence community, see this book.)

In August 2019, the Minister of Foreign Affairs directed GAC officials to work with CSE to develop a formal governance mechanism to ensure CSE's cyber operations align with Canada's foreign policy and international legal obligations. (p 42/PDF 50)

This led, in 2020, to the creation of "the CSE–GAC Active Cyber Operations/Defensive Cyber Operations Working Group and a comprehensive governance framework for consultation on cyber operations". (p 42/PDF 50)

The report also reveals that, inside CSE, "the Cyber Operations Group and the Cyber Management Group oversee CSE's cyber operations. These are executive bodies, at the director- and director general-level respectively, that review and approve cyber operation plans and risk assessments. The Director of *** and the Deputy Chief of Signals Intelligence chair the respective committees, and membership depends on ***." (p 43/PDF 51)

This is the first official confirmation, I think, that CSE's cyber operations are lodged in the agency's SIGINT branch.

Interestingly, NSIRA also recently looked at the GACCSE relationship with respect to the governance of ACO/DCO activities.

Among other findings, NSIRA stated that "CSE and GAC have not established a threshold to determine how to identify and differentiate between a pre-emptive Defensive Cyber Operation and an Active Cyber Operation, which can lead to the insufficient involvement of GAC if the operation is misclassified as defensive." (p 69/PDF 77)

In total, NSIRA made nine recommendations for improvements relating to "engaging other departments to ensure an operation’s alignment with broader Government of Canada priorities; demarcating an ACO from a pre-emptive DCO; assessing each operation’s compliance with international law; and communicating with each other any newly acquired information that is relevant to the risk level of an operation." (p 21/PDF 29)

The full set of findings and recommendations can be found on pages 69-71 (PDF 77-79) of NSIRA's report.

 

PILGRIM's progress

Getting back to NSICOP, the next two pages of the committee's report (p 44-45/PDF 52-53) discuss a program that is ostensibly so secret that all information is redacted except for one sentence: "GAC states that it derives its authority for the program from the Crown prerogative." (p 44/PDF 52)

This is clearly the program known at one time as PILGRIM for the operation of CSE intercept facilities inside Canadian diplomatic missions, our equivalent of U.S. Special Collection Service sites.

Presumably it was this program that NSICOP was alluding to when (as I noted at the beginning of this post) it mentioned GAC and CSE's "cooperation in the collection of foreign intelligence". (p 24/PDF 33)

All of the Five Eyes partners operate such intercept sites, known collectively under the coverterm STATEROOM, but the official policy is to pretend no one knows Canada does this sort of thing, so even the fact of its existence remains classified. That rare allusion is as close as we get to an official confirmation.

Still, NSICOP did manage to flag some concerns about GAC's role in the program in its descriptions of three of the redactions (p 45/PDF 53):

1. "The paragraph noted that the Department does not have any policies, procedures or documents to govern its involvement, and does not have any reporting requirements to the Minister".

2. "The paragraph noted challenges regarding the management of risk."

3. "The paragraph noted the Department's failure to inform the Minister of important issues."

One of the report's four recommendations was probably aimed in part at this program:

R3. [NSICOP recommends that the] Minister of Foreign Affairs put in place comprehensive governance mechanisms for the Department's security and intelligence activities and for those that it supports or contributes to at partner organizations. Those mechanisms should better document processes and decision points to strengthen accountability and institutional memory. (p 95/PDF 102)

 

Intelligence Access and Countermeasures section

A few pages after the intercept sites discussion — past another almost entirely redacted part called "Logistical Support ***" that probably discusses GAC's occasional provision of support to Five Eyes partner HUMINT agencies like MI6 and the CIA — is a chapter on GAC's own intelligence activities.

There is a lot of very useful and rarely if ever reported information in there about what Global Affairs itself does in this field, but for my purposes I want to highlight just one aspect:

In 2017, GAC established a division within the Intelligence Bureau responsible for the management of highly classified communications at missions abroad. This Intelligence Access and Countermeasures section works closely with CSE to accredit and protect GAC's signals intelligence secure areas. (p 51-52/PDF 59-60)

("Signals intelligence secure area" (SSA), by the way, is the Canadian SIGINT community's equivalent for what in the U.S. is known as a secure compartmented information facility, or SCIF.)

NSICOP's description of the Intelligence Access and Countermeasures section gives the impression that it deals only with GAC's own communications, and maybe it does do only that. But the fact that "Intelligence Access" is included in the section's name may indicate that it also looks after the intercept sites at the missions, which of course also would be located in SSAs.

A probably much less likely theory is that the unit is also mandated to conduct close-access operations, which are designed to enable SIGINT collection by placing antennas or other collection systems in close proximity to targeted information technology systems and/or installing hardware or software implants directly in them.

The foreign intelligence collection authorities granted to CSE in the CSE Act are broad enough to encompass close-access activities:

The foreign intelligence aspect of the Establishment’s mandate is to acquire, covertly or otherwise, information from or through the global information infrastructure, including by engaging or interacting with foreign entities located outside Canada or by using any other method of acquiring information, and to use, analyse and disseminate the information for the purpose of providing foreign intelligence, in accordance with the Government of Canada’s intelligence priorities. (s.16)

And the agency could, with Global Affairs' agreement, deputize GAC personnel to conduct such operations on its behalf.

However, heads far wiser than mine consider it all but inconceivable that any Canadian government would ever muster the will to attempt such inherently perilous operations, with their potential for embarrassing exposure and, worse, risk to the life or liberty of the individuals participating.

Also, we might expect there to be a lot more discussion of the topic in this report if the section's role really did extend that far. (That said, it's not impossible that there is such a discussion buried in the redacted parts of the report concerning intercept sites.)

I'm probably letting my imagination run away with me when it comes to close-access ops. But I'll keep pondering that imponderable because certain comments made by CSE's former Deputy Chief SIGINT way back in 2007 leave me strongly inclined to believe that CSE would very much like the government to conduct such operations for it.

 

There is a lot of other valuable information about GAC's intelligence role in this report, but that pretty much covers the CSE-related aspects.

 

Redactio ad absurdum

I will make one final complaint about pointless redactions, however. On pages 75-78 (PDF 83-86) there is a case study of a kidnapping incident involving a Canadian from which almost all personal details have been redacted.

Maybe it's intended as a privacy thing, but it only takes about a minute on Google to fill in all those blanks.


Thursday, August 18, 2022

Notes on CSE's 2021-22 Annual Report


CSE's 2021-2022 Annual Report was released on June 28th. At roughly 15,000 words, the report is significantly longer and more informative than last year's, and about five times as long as CSE's first annual report, released in 2020. Although large gaps remain (and to some extent will always remain), this is starting to be a respectable — and useful — document.

Of course, a lot of that text focuses on the cyber security side of the agency, the Canadian Centre for Cyber Security, which accounts for about 30% of CSE's resources. Relatively little discusses the signals intelligence (SIGINT) and cyber operations side, which accounts for the rest.

This is unsurprising, as spying and online covert action need a pretty substantial level of secrecy. But they are also the areas where CSE's activities are most likely to negatively impact the general public, and boilerplate assurances that CSE is prohibited from directing its activities at Canadians are not enough.

For one thing, this prohibition does not apply when CSE is acting under its assistance mandate, providing support to CSIS, the RCMP, CBSA and other law enforcement and security agencies, subject to their authorities. The report has just one sentence referring to CSE's support activities (p. 12).

Also, between incidental collection of communications and bulk collection of metadata, CSE and its Five Eyes partners can collect, analyze, and report a great deal of information related to Canadians in the course of pursuing their non-Canadian targets.

In its classified reporting to the Minister of National Defence the agency provides a wide range of data on the amount of Canadian-related information it acquires and uses. There is no reason why much of that data could not be declassified and reported here, where it would provide useful reassurance of the limited extent to which CSE invades the privacy of Canadians. That's of course unless the data wouldn't actually be reassuring, in which case there's all the more reason why we should see it.

For more on the kinds of information that could be reported, see my comments on last year's report. Some of this information could and probably should be reported by the National Security and Intelligence Review Agency (NSIRA) also, but in that case too it depends on CSE approving its declassification.

One welcome bit of new information in the report is the discussion of active cyber operations (ACO) and defensive cyber operations (DCO) (pp. 13-14), where we learn a little more about the way authorizations work and the types of activities CSE is conducting.

The report confirms, for example, that a single authorization may cover multiple cyber operations and explains that "there are also cases where an Authorization may be anticipatory, with no operations required in the end."

The examples provided of the types of cyber operation that CSE has conducted are much more revealing than anything previously acknowledged by the agency, noting, for example, the use of "active cyber operations capabilities to disrupt the efforts of foreign-based extremists" and "to assist the Canadian Armed Forces in support of their mission." Note, however, that in neither of these cases is it made clear whether the operations mentioned were conducted under CSE's own active cyber authorities or as assistance activities.

The report also reveals that "CSE has embarked on a long-term campaign designed to reduce the ability of cybercrime groups to target Canadians, Canadian businesses and institutions. Working with Canadian and allied partners, CSE has helped reduce the ability of cybercriminals to launch ransomware attacks and to profit from the sale of stolen information."

Overall, then, the section on cyber operations is much more informative than the grudging acknowledgements the agency has made in the past on the subject and presumably reflects a deliberate decision to use the annual report as the place to begin providing at least a sliver of the kind of transparency CSE keeps talking about.

 

Other information

Also nice to see: the pages on SIGINT (11-12) update the statistics on SIGINT reports, clients, and customer departments/agencies introduced last year and add some general information about the kinds of intelligence topics CSE pursues: "CSE intercepts and analyzes electronic communications and other foreign signals to inform the Government of Canada about the activities of foreign entities that seek to undermine Canada’s national security and prosperity.... CSE SIGINT also supports government policy-making in defence, security and international affairs."

Among the (non-exhaustive) examples of intelligence topics given are:

  • activities of hostile states, including cyber threats
  • cybercrime
  • espionage directed against Canada, including economic espionage
  • foreign interference and disinformation campaigns
  • kidnappings of Canadians abroad
  • terrorism and extremism, including ideologically motivated violent extremism (IMVE), and
  • threats to Canadians and Canadian forces abroad

Unmentioned, however, are the sorts of things that fall into the polite-fiction category, where we pretend no one knows we do them even though everyone knows we do, such as intelligence collection on other countries' negotiating positions at international conferences or data relevant to trade policy.

In no case should any of these topics be surprising, however, which underlines the pointlessness of treating broad intelligence priorities (as opposed to specific targets) as a huge secret.

The report also has a short section following up on NSIRA's concerns about CSE's sharing of Canadian Identifying Information (CII) with SIGINT customers (see my earlier post here). "The [NSIRA] review made 11 recommendations to improve our processes for dealing with these requests. Since the review began, CSE has completed 10 out of the 11 recommendations.... The final recommendation, to conduct a Privacy Impact Assessment (PIA) has been launched. We expect to complete the PIA in 2022."

"The review also raised concerns that some disclosures of CII during the period of the review may have been non-compliant. After detailed analysis of CSE’s program, and the disclosures related to 2,351 Canadian identifiers cited in NSIRA’s report, and following consultations with government partners, CSE is satisfied that all but one of those disclosures were compliant. The single disclosure that was not compliant with the Privacy Act has been retracted and the data that was disclosed has been purged by the receiving institution."

Whether an NSIRA examination would draw exactly the same conclusions may be doubted, but I suspect it would agree in the great majority of cases. (NSIRA's original point wasn't that the requests were unjustifiable, but that the case for their justification had not been properly provided.) Still, it's good to see CSE using its annual report to follow up on issues arising from review agency reports.

 

Resources

On p. 56 we learn that CSE now has around 3200 full-time employees, which is up about 200 from the year before. The agency is now about 3 1/2 times as large as it was at the end of the Cold War! And it's still growing.

The promises made in Budget 2022 imply that CSE could be headed to around 4000 employees over the next several years, although some of that possible growth might go to contractors rather than staff. 

But you won't find any forward-looking budget or staffing data here. Nor will you find current budget data, other than the 2021-22 budget authorities number: $859 million. Note, however, that this number should really be $860 million, since it is almost certainly based on the $859,771,899 figure recorded in the 2021-22 Supplementary Estimates (C). Based on past performance, the actual amount that CSE ends up spending during 2021-22 is likely to be somewhat lower than this, but we won't know that number for some time.

Back when CSE was still part of the Department of National Defence, we used to get a lot more budget data about CSE, with spending broken down into salaries and personnel, operations and maintenance, and capital spending, and also projected into future years:

 

But all of that detail ended when CSE became a stand-alone department in 2011, and the agency has never provided any kind of public explanation of why it can no longer release such information.

By contrast, CSE's colleagues at the Australian Signals Directorate (ASD) manage to publish reams of spending data every year with no evident ill effects. Apparently CSE's data is uniquely sensitive in ways that must never be publicly explained.

 

Conclusion

The above griping notwithstanding, I do think this report is a significant improvement on its predecessors. Kudos to CSE for that.

And this year they finally made it available as a PDF as well as a web document! Yay!

 

For a much more comprehensive look at the contents of the report, check out Chris Parsons' post here

See also media coverage by Alex Boutilier and Cat Tunney.

 

Update 20 August 2022:  

The references to "Mandate C' in the original version of this post have been changed to "assistance mandate". As I was gently reminded, the Mandate C nickname dates to the pre-CSE Act period, i.e., before 2019. While fogies like me may still reach for it as a handy shorthand way to refer to CSE's mandate to assist federal law enforcement and security agencies (including, since 2019, the Canadian Forces and the Department of National Defence), when writing for others it's better to be comprehensible and accurate.


Sunday, July 31, 2022

Diversity in the top ranks of CSE

Improving diversity within CSE and other parts of the intelligence community is an ongoing challenge, but with the appointment of the first non-white Canadian to the position of Chief of CSE (effective August 31st), I thought I'd take a look at how things are going at the top level of the agency's hierarchy. As the chart below shows, that group is actually pretty diverse.

Chart showing top executives at CSE
At the top of the chart are incoming CSE Chief Caroline Xavier and, below her, Associate Chief Dan Rogers. The next level shows Deputy Chiefs and equivalents: from left to right, Deputy Chief SIGINT (DC SIGINT) Alia Tayyeb; Canadian Centre for Cyber Security (CCCS) Head Sami Khoury; Acting Deputy Chief Enterprise Technology Services (DC ETS) Darrell Schroer; Acting Deputy Chief Authorities, Compliance and Transparency (DC ACT) Nabih Eldebs; Deputy Chief Strategic Policy, Planning & Partnerships (DC SPPP) Wendy Hadwen; and Deputy Chief Corporate Services (DC CS) Gibby Armstrong. I have also shown the Cyber Centre's Associate Head, Rajiv Gupta. Other CSE officials at Gupta's rank (Director-General) are rarely publicly identified, so that's as far as it is practical to look.

CSE doesn't keep me updated on its executive appointments (or any other matter), so it's possible that some of the incumbents in these positions have changed, but this chart should be pretty close.

Of the nine officials shown in the chart, four are women, and five (three men and two women) are non-white. Some of the officials may also belong to other traditionally excluded or under-represented groups, such as 2SLGBTIQ+ persons, religious minorities, or persons with disabilities, but I have no information about that.

 

Dwyer straits

Photo of Peter Dwyer
CSE wasn't always as diverse as this. There was a time, in fact, when the battle for diversity in the upper ranks of the agency meant a demand to hire more (white) Canadian men instead of so many (white) British men.

As far as I can tell, CSE never had employment policies as overtly racist as those at GCHQ, which systematically barred all "coloured" people from employment at the agency until the 1980s, or even those at NSA and its predecessors, where, for example, until 1956 almost all African American employees were concentrated in a low-paid, segregated unit dubbed, inevitably, "the Plantation".

But of course a lack of evidence of egregious racism in no way means that no racist or otherwise discriminatory practices existed at CSE. And there is no reason to assume the agency has been any less discriminatory in its practices than the overall public service, or indeed Canadian society in general.

It wasn't until 1977 that CSE even established an advisory position on equal opportunities for women. Like today, about one-third of CSE's staff at that time were women, but they were "concentrated in lower level - lower paying jobs" such as clerical and secretarial work and were rarely promoted to upper management positions. As I noted here, the top echelons of the agency have come a long way in that respect since then.

Statistics on equity, diversity, and inclusion across the entire staff of CSE are hard to come by, but they have started to be reported in recent years. CSE's most recent annual report, for example, published these statistics on employment equity representation versus workforce availability (click image for larger version):

As these numbers show, CSE still has a long way left to go with respect to persons with disabilities and those described as "visible minorities". (The term "visible minorities," the report notes, "is considered outdated. We use it here in the context of the Employment Equity Act, which is currently under review.")

It's also worth recognizing that the "workforce availabilities" shown in CSE's chart relate to the specific occupational categories CSE seeks to fill and thus themselves reflect persisting societal and systemic barriers to inclusion. As target levels they are at best relative measures of progress.

This can be seen in the statistics pertaining to women, who are assessed as having a workforce availability of 35.4% for CSE even though they represent 50.4% of Canada's population and their availability for the public service as a whole is assessed to be 52.7%.

The same point could be made with respect to Indigenous people. While CSE seems to be doing reasonably well, with Indigenous people representing 1.93% of the agency's staff versus a workforce availability of 2.08%, the assessed availability of Indigenous people with respect to the public service as a whole is twice as high (4.0%), suggesting there is a lot of room for growth if obstacles to participation in occupations of interest to CSE were reduced.

NSICOP's study of diversity and inclusion in the Canadian security and intelligence community, published in 2020, provides a useful further discussion of these issues and some additional statistical information, notably representation at the executive level of Canadian S&I agencies in 2017-18. (I'm not sure where the cut-off for this category is in CSE, but it likely includes everyone from the Chief down to the Director-General and, I would guess, Director level.) Interestingly, CSE significantly under-performed in terms of visible minority representation within the executive category at that time.

As the NSICOP report and the CSE annual report both acknowledge, women, Indigenous people, persons with disabilities, and visible minorities are not the only groups relevant to questions of equity, diversity, and inclusion.

In May 2021, a senior official from CSE's SIGINT branch, Artur Wilczynski, was appointed Assistant Deputy Minister, Senior Advisor for People, Equity, Diversity and Inclusion as part of "a focused effort to bolster a welcoming and inclusive community at CSE, to identify and break down systemic barriers to full participation, and to help empower historically discriminated against groups within the Public Service." Prior to his retirement earlier this summer, Wilczynski oversaw the production of CSE's first equity, diversity, and inclusion guide, which incorporates this broader understanding of equity-deserving groups, including the 2SLGBTIQ+ community, religious minorities, the neurodivergent, and others.

This episode of the Intrepid podcast, featuring Wilczynski and Nabih Eldebs (then the Director General of Policy, Disclosure and Review at CSE), is also a good source of information on the recent state of play at the agency. 

 

Conclusion

Obviously, the presence of women and non-white people in key leadership positions at CSE does not mean that problems of systemic discrimination and under-representation no longer exist at the agency, or even necessarily that meaningful progress is being made. And it would certainly be a mistake to use year-to-year changes in appointments to upper executive positions as a measure of the agency's overall progress or lack thereof. But representation does matter. The agency seems to be making good-faith (if undoubtedly imperfect) efforts to improve its performance on these issues at all levels of the organization, and in that context the fact that the top levels of CSE are visibly diverse sends an important message of hope that all Canadians can find a home at the agency.