The Intelligence Commissioner’s 2023 Annual Report was released on 6 May 2024. This was the fifth annual report issued by the Intelligence
Commissioner since the position was created in 2019, and we are now starting to
get a clearer picture of how this system works in practice.
What I plan to focus on in this blog post is the part of the Intelligence
Commissioner’s job that involves overseeing the Ministerial Authorizations (MAs)
that enable CSE to do things that might otherwise be illegal, such as
intercepting communications or hacking computers. MAs are issued by the Minister
of National Defence to cover CSE’s foreign intelligence program, its
cybersecurity activities on federal government infrastructures, and its
cybersecurity activities on non-federal infrastructures designated to be of
importance to the government of Canada. The role of the Intelligence
Commissioner is to assess the “reasonableness” of the minister’s decisions and
either approve or not approve each MA in whole or in part. Only those MAs or
parts of MAs approved in a written decision by the Commissioner enter into
force.
(The Defence Minister also issues MAs for CSE’s active and
defensive cyber operations, but those authorizations are not overseen by the Commissioner.
For a description of the full mandate of the Intelligence Commissioner, which
also entails oversight of datasets held by the Canadian Security Intelligence
Service (CSIS) and certain classes of acts or omissions by CSIS, see pages 7-10
of the annual report.)
The current Intelligence Commissioner, retired Federal Court
judge Simon Noël, took
over from the first commissioner, Jean-Pierre Plouffe, on 1 October 2022. Plouffe’s
work established the parameters for how the MA system created in 2019 would function
in practice – the bases on which reasonableness would be judged, the types of
information needed by the minister and the commissioner, the prescriptive role
of the deliberations and other remarks recorded in the commissioner’s written
decisions, and the fact that partial approval was possible. Plouffe also made a
commitment to declassify and publish the Intelligence Commissioner’s written MA decisions, which has
now begun to happen.
The 2023 Annual Report, which covers Noël’s first full year in office, shows that Noël
has picked up where his predecessor left off and is actively building on Plouffe’s
legacy.
So where are we today?
As can be seen in this chart reproduced from the report, the
Intelligence Commissioner and his predecessor have rendered decisions on 26 MAs
issued to CSE since the system began in 2019, including six in the last year. None
have been rejected outright, but in five cases, including three in the last
year, the MAs were only partially approved, with one or more elements rejected.
There is a clear pattern that three foreign intelligence
authorizations are issued each year. One cybersecurity authorization for federal infrastructures is also issued each year. Cybersecurity authorizations for non-federal infrastructures
are much less predictable, with one or two in most years and none in one year.
FOREIGN INTELLIGENCE MAs
The practice of issuing three foreign intelligence MAs per
year extends back into the previous statutory regime, before the office of
the Intelligence Commissioner was created, when MAs were issued by the Minister of National
Defence to make it lawful for CSE to intercept communications with one end in
Canada. As today, CSE was not permitted to target the communications of
people in Canada or Canadians anywhere except when operating under its
assistance mandate, but the MAs made it legal for CSE to intercept the
communications of foreign targets located abroad if they happened to communicate
with someone in Canada. Without the MAs this was a problem for CSE, because the
wilful interception of a communication with at least one end in Canada – a “private
communication” under the Criminal Code – is normally a criminal offense.
Under the statutory regime established in 2019, the MAs also
serve this purpose, but they encompass a broader range of information gathering,
including metadata, that might also implicate other laws and/or the privacy
rights of people in Canada and Canadians everywhere.
In both cases, however, the collective role of the three foreign
intelligence MAs issued each year has been to provide authorization for the
full range of CSE’s foreign intelligence programs.
CSE has never formally acknowledged how these three MAs
divide up the various programs, but I think the breakdown probably goes
something like this: one MA, call it “radio frequency activities,” covers
everything CSE collects that requires sticking up an antenna of some kind: high-frequency
radio communications, satellite transmissions, cell phone and local microwave traffic
in a foreign capital, etc; a second MA, call it “cable access,” covers CSE’s
collection from land-based telecommunications infrastructure (primarily
switching centres connected by fibre optic lines), with or without the
cooperation of the companies involved; and the third MA covers computer network exploitation (CNE) activities, i.e., computer hacking.
Whether this breakdown is correct or not, it is clear
that three broad classes of activities are consistently being renewed year
after year, probably usually with only minor modifications, and that all of the
activities listed above are among those contained in the MAs somewhere.
On the whole, the MA process seems to be running pretty
smoothly. During the first four years of the new regime, only one of the twelve
foreign intelligence MAs issued was less than fully approved. Last year, however, that pattern broke, as all three of the
2023 MAs had elements rejected by Commissioner Noël.
As is
usually the case when dealing with CSE, redactions prevent us from knowing all
the details of what Noël objected to. But we do know there was a lot of overlap
in the three decisions: in all three cases, Noël objected to the inclusion of
catch-all provisions permitting CSE to carry out “any other activity that is
reasonable in the circumstances and reasonably necessary in aid of any other
activity, or class of activity, authorized by this Authorization.” This
provision was based directly on the language in paragraph 26(2)(e) of the CSE
Act, the statute that gives CSE its powers, but as Noël argued, that act
requires that the minister be the judge of the reasonableness of such activities
and that the reasonableness of the minister’s decision then be assessed by the
Intelligence Commissioner: it does not empower the minister to delegate that determination
to officials at CSE by pre-approving whatever CSE later judges to be reasonable.
In one of the MAs, the 21 April 2023 authorization, CSE also
sought permission for activities that, in the Intelligence Commissioner’s view,
fell outside the scope of the foreign intelligence section of the CSE Act,
encompassing a “much broader class of activities” than could “reasonably fit
into the more limited class found in the statute.”
We are left to speculate as to what kinds of things those
activities might entail.
Is there human intelligence at CSE?
One possibility might be that they concern computer network
exploitation operations conducted jointly with foreign partners such as NSA or
GCHQ, where the goals or methods of the operations might extend beyond those delimited
in CSE’s statute. Some of the intelligence sought might concern topics not
represented in Canadian intelligence priorities, for example. Or the overall goals
of the operation might consist of a blend of outcomes that in Canada fall under
the separate categories of foreign intelligence operations and foreign cyber
operations.
Another possibility is that the broader class of activities cited
by the Commissioner might encroach on more traditional spying, i.e., human
intelligence (HUMINT), territory.
The CSE Act permits CSE to “acquire, covertly or
otherwise, information from or through the global information
infrastructure, including by engaging or interacting with foreign entities
located outside Canada or by using any other method of acquiring information”
(emphasis added). One covert way to acquire SIGINT is to use contacts with
foreign individuals to obtain login credentials or other information about
target IT systems or even to install hardware or software implants on those
systems. This sort of activity could range from entirely online, legal business
arrangements conducted from CSE’s facilities in Ottawa all the way to,
depending on how generously you interpret CSE’s statute, the use of undercover
officers to run agents and conduct close-access operations in foreign
countries.
I don’t think CSE has any desire to operate way down on
the far end of that HUMINT spectrum, but in seeking to leave its options open for
actions on the more innocuous end, it may have proposed some sort of catch-all
language that was too inclusive for the Commissioner’s liking.
Whatever the actual issue that was at stake, the Commissioner
made it clear that, in his view, rejection of this particular provision of the
authorization did not restrict the activities that CSE had specific plans to
carry out under the MA, presumably because the specific things CSE already knew
it wanted to do were covered by the more specific, approved elements of the authorization.
The Commissioner
also noted that an MA that included an identical list of activities had been
approved by his predecessor, Commissioner Plouffe, just a year before on 29 June 2022, explaining that
this was not an impediment to his own conclusions because “that decision
was based on its own, different record.” This probably means that the
application submitted to the minister in that case spelled out a more limited
and specific set of measures that CSE could undertake to perform the activity
listed in the authorization and/or specifically ruled out some types of measures.
Interestingly, the one foreign intelligence MA that Plouffe did
not fully approve (the 20 July 2021 MA) was from the same family of
authorizations and was in fact the MA that was replaced a year later by the 29
June 2022 MA. It may be that Plouffe had the same or similar reservations back in
2021. In his 2022 decision, he wrote, “In my 2021 decision, I made remarks with
respect to the record received. I note that this year’s record responds to
those remarks.”
Whatever specifically concerned Plouffe in the 2021 MA was not
revealed to us, of course, but we were given a few clues. Part of Plouffe’s
concern was that “the application does not contain supporting information
explaining how, and through which specific activities the acquisition of
[redacted] would take place. The application does describe that CSE would be
acquiring this information from the GII” – the Global Information
Infrastructure – “by [redacted.] That being said, the application offers no
additional explanation as to how CSE plans to approach this method of acquiring
information, including what activities are contemplated.”
A report published by the National Security and Intelligence Review Agency (NSIRA) in 2023 may indicate that NSIRA had similar concerns
about an even earlier foreign intelligence MA.
That report looked at the 2019 MAs, the first ones issued
under the CSE Act. One set of activities provided for in one of the foreign
intelligence MAs was of particular concern to NSIRA, which noted that “Similar
activities conducted by other security and intelligence departments have been
found to require an explicit statutory justification regime…. The CSE Act contains no such justification
regime.” According to NSIRA, “Although these activities have not yet occurred,
there is no indication that CSE has fully assessed the ramifications – legal or
otherwise – of the activities authorized in [redacted] Authorization.” The
agency recommended that CSE “seek a fulsome legal assessment on activities
authorized by [redacted] MA prior to undertaking any collection activities
under [redacted] MA. The legal advice should address whether there is an
implicit justification regime created in [redacted] MA.”
More specific details were, you guessed it, redacted. But a
version released to me under ATIP request A-2021-011 was slightly more
forthcoming.
In the graphic above, the publicly released version of the report
is on top and the ATIP version is below.
As can be seen, at least part of NSIRA’s concern seems to
have been related to the nature of CSE’s interactions with individuals in the
course of its efforts to access information on the Global Information
Infrastructure. So, maybe there really is a HUMINT or HUMINT-adjacent nexus
here.
NSIRA’s report wasn’t released to the public in its
declassified form until 2023, but the classified version was completed in late
2020 or early 2021 and thus was very likely seen by Intelligence Commissioner
Plouffe before he considered the 20 July 2021 MA. Did it contribute to his
decision to only partially approve that MA? It certainly seems possible.
CSE more or less shrugged off NSIRA’s recommendation that it
seek a fulsome legal assessment of the proposals that concerned the review
agency, accepting it “in principle” but asserting that it already knew
everything was properly authorized. Maybe the Intelligence Commissioners have
been taking the issue – whatever it may be – significantly more seriously.
Internal thresholds
Another of the Intelligence Commissioner’s 2023 decisions provided some valuable information
about the limits that CSE and the Minister impose on the agency’s foreign
intelligence activities.
Under the CSE
Act, ministerial authorizations can make it legal for CSE to conduct
activities "despite any other Act of Parliament or of any foreign state."
The agency’s active and defensive cyber operations are forbidden from causing,
intentionally or by criminal negligence, death or bodily harm to an individual
or wilfully attempting in any manner to obstruct, pervert or defeat the course
of justice or democracy, but the act places no such limits on the
conduct carried out under CSE’s foreign intelligence or cybersecurity mandates.
Back in 2017, I joked that, for those mandates, the agency was
about to be licensed to kill. But I added that CSE would not only have to want
to do that, it would also have to convince the Minister that such an action
would be reasonable and proportionate, and then the Intelligence Commissioner
would need to conclude that the Minister’s decision was itself reasonable. So, they’d
need to have a pretty darn good reason to kill you.
Happily, there’s still no reason to think that CSE is actually getting into the killing
business.* (*Except in the context of providing intelligence and/or cyber
operations support to certain military operations conducted by or in partnership with the
Canadian Armed Forces under their authorities.)
But it’s
reassuring to learn from Noël that in some or perhaps all foreign intelligence ministerial
authorizations, the Minister also sets out “general internal limits on
CSE activities undertaken pursuant to the Authorization, including that CSE
will not cause, intentionally or by criminal negligence, death or bodily harm
to an individual or willfully attempt in any manner to obstruct, pervert or
defeat the course of justice or democracy” – i.e., the same prohibitions as
those applied to CSE cyber operations.
Noël is
strongly in favour of this approach, commenting, “I am of the view that
explicitly including these limits is necessary, as the CSE Act does not
provide for them [in the context of foreign intelligence authorizations] and
they do not appear in policy documents in the record.”
If there’s
one aspect of this that still leaves me slightly uneasy, it’s that bit where Noël writes
that these limits do not appear in CSE’s policy documents. The CSE Mission
Policy Suite is classified, and it can be amended at any time with no public
notice, but at least if the limits were spelled out in formal policy, we – and
CSE’s own employees – could be sure that the present intent is to apply them
universally. Spelling them out in statute would be even better. Making them an
add-on to annual ministerial authorizations restricts those limits to specific dates
and circumstances and at least theoretically preserves the option of not adding
them in some future instance.
I doubt
very much that anyone at CSE is trying to preserve even the theoretical option of
deliberate murder, but the limits cover much more than just that. Is CSE
hedging its bets on other activities that might cross into territory that is, for
cyber operations, forbidden?
Defining essential
The Intelligence Commissioners also add formal remarks to
many of their decisions to highlight issues that they feel deserve more
attention, and one of Noël’s
remarks in a recent decision raises an interesting issue.
In that decision, Noël noted that CSE may only
retain information relating to a Canadian or a person in Canada if it is
assessed to be “essential to international affairs, defence or security, including
cybersecurity,” and that, in an earlier decision, he had suggested that a
greater understanding of the operational definitions of what constitutes
international affairs, defence, and security, including cybersecurity, would be
beneficial. Noël reported that, in its response, CSE had tied its understanding of those terms to
the Government of Canada’s foreign intelligence priorities: if information is
essential to the provision of intelligence that responds to those priorities,
then for CSE’s purposes it is essential to international affairs, defence, or
security. “This approach avoids the difficult task of CSE having to independently
define the subjective, regularly-evolving, and context-specific bounds of the
terms international affairs, defence and security, and ensures its approach
does not result in inconsistencies with how Cabinet views those terms.”
This does seem like an elegant solution to the problem, and Noël wrote that he found it
reasonable: “Although the Minister does not include this definition in her
conclusions, which would have been preferable, I am satisfied that it falls
within a range of interpretations that could be reasonable given the purpose of
paragraph 34(2)(c) of the CSE Act.”
I wonder, however, if it begs the question to some extent.
The Cabinet determines Canada’s overall intelligence
priorities, the Minister of National Defence issues a directive to CSE detailing
the priorities relevant to its foreign intelligence mandate, and CSE then responds
to those directions. All that is true. But the priorities issued by the Cabinet and the minister are
expressed in very general terms. By the time they are articulated for CSE’s
purposes in the National SIGINT Priorities List (NSPL), CSE has had very
extensive input into what intelligence it specifically will or will not seek.
The NSPL cannot be inconsistent with the priorities set by Cabinet, but much of
the work of operationalizing those priorities falls to CSE itself, working in
cooperation with the Privy Council Office and major customer departments.
Furthermore, we know from the publicly released version of
the November 2012 ministerial directive that CSE has at least sometimes been
instructed to use its own initiative to collect intelligence on matters entirely outside the
specific priorities identified by the government: “In the course of its mandated
activities, CSE should also actively monitor and report on other issues to
ensure Canada is aware of and can respond to other intelligence related to
emerging events, opportunities, and crises.”
This is a sensible provision, as otherwise CSE would have to
wait for new instructions before it could provide early warning of emerging
issues or collect information on crises and other fast-moving topics that were
unanticipated at the time the priorities were issued. The same provision or something
much like it is probably in the current directive as well, and if it’s not, it
should be.
But this means that – at least in these edge cases – it is up
to CSE itself to determine what information is considered essential for Canada’s international affairs, defence, or
security.
The notion
that CSE doesn’t need to consider the question of essentiality because the answer
mirrors Canadian intelligence priorities may be a little less satisfying once
you consider that those priorities are articulated to an important degree by
CSE itself.
CYBERSECURITY – FEDERAL INFRASTRUCTURE
Moving on to cybersecurity, it is now clear that one omnibus
authorization is issued each year to cover all of CSE’s activities on the federal
government information technology infrastructure that might otherwise breach the
law or impinge on privacy rights. In practice, the authorization covers the
deployment of, and analysis and reporting of the data collected by, sensor
devices and software systems that monitor communications traffic and other activities on
consenting federal government networks (network-based sensors, NBS), cloud
infrastructure (cloud-based sensors, CBS), and endpoint devices, such as
government-issued laptops and smartphones (host-based sensors, HBS). These
systems are also used to implement mitigation measures to counter hostile
activity.
The authorization process for these activities seems to be
running pretty smoothly, with only one MA so far being less than fully
approved. That partial rejection occurred in Intelligence Commissioner
Plouffe’s 27 June 2022 decision.
In that case, the Intelligence Commissioner concluded that
the proposed activity was “outside the scope” of the relevant part of the CSE
Act, subsection 27(1), which provides for “accessing a federal
institution’s information infrastructure, and acquiring any information
originating from, directed to, stored on or being transmitted on or through
that infrastructure.” In Plouffe’s view, the notion of infrastructure implied
in CSE’s request covered “a much wider ambit than the notion of federal
institution’s information infrastructures found in [subsection 27(1)].”
In keeping with CSE’s ongoing commitment to make this kind
of analysis challenging, the details of the specific aspect of the MA that was
rejected were of course redacted, but I do have a guess for you.
[Update 2 June 2024: I originally guessed that the issue might have something to do with the deployment of the MAPLETAP cloud-based
sensor system, which began in January 2022. But I'm now doubtful that this is correct. According to the National Security and Intelligence Committee of Parliamentarians (NSICOP), the deployment of CBS systems began around 2019: "In 2019, [the Treasury Board Secretariat (TBS)] obligated departments to include
cloud-based sensors as part of their cloud implementation, and CSE and [Shared Services Canada (SSC)]
started onboarding departments for cloud-based sensor deployments. The
deployment of cloud-based sensors was further accelerated as a result of the
COVID-19 pandemic. In May 2020, TBS established service-specific guardrails for
Microsoft Office 365 and SSC fast-tracked, in collaboration with TBS and CSE,
the migration of departments to cloud-based email and collaboration services to
respond to significant demands for remote work. CSE and SSC collaborated to
rapidly add cloud-based sensors to *** organizations." This seems too early to be the issue raised in the June 2022 MA, unless the specific MAPLETAP CBS deployment somehow changed the equation.]
What happened next is even more interesting.
The following year’s MA left out the activity that Plouffe had
rejected, but not because CSE no longer intended to do it. Instead, CSE had obtained
a legal opinion that it didn’t need ministerial authorization for the activity
after all and had just gone ahead and started to do it!
Commissioner Noël,
who by that time had succeeded Plouffe, was distinctly unimpressed by this approach, commenting,
“I am left uncertain and perplexed as to why the activity in question, which I
understand is currently being carried out, no longer requires ministerial
authorization. Indeed, when a decision maker denies an application to conduct
an activity and is thereafter informed the activity is nevertheless being
conducted, I would expect an explanation to be reflected in the record, beyond
a simple statement that CSE obtained a legal opinion, particularly in an ex
parte context. I would have expected the same if the former Intelligence
Commissioner had authorized the activity and over the course of the year CSE
had amended its position and concluded the activity no longer needed
ministerial authorization.”
Bam.
The same issue then turned up a few months later in an MA proposal concerning non-federal infrastructure, in response to which Noël wrote that his concerns about
CSE’s behavior had not yet been addressed and that he expected CSE to “provide
a satisfactory response in the context of a future request for a cybersecurity
authorization.”
It’s not clear whether the re-appearance of the issue in
that MA meant that CSE had decided to acquire a non-federal authorization for
the activity that had been rejected for a federal authorization in 2022 or just
that some other matter that raised the same process concerns had arisen. Whatever
the subject was, that MA did end up being fully approved.
CYBERSECURITY – NON-FEDERAL INFRASTRUCTURES
Which brings us, at last, to the topic of authorizations for
cybersecurity activities on non-federal infrastructures, the final type of
CSE-related MA overseen by the Intelligence Commissioner.
CSE’s Cyber Centre provides a wide range of cybersecurity advice,
guidance, and services to institutions and even individuals outside the federal
government, but for a non-federal client to receive direct support, it must
first fall into a category of information and information infrastructures designated
by the Minister of National Defence to be of importance to the Government of
Canada.
According to NSICOP, an omnibus ministerial order issued on
25 August 2020 designates “10 critical infrastructure sectors: government
(federal, provincial, territorial, municipal and Indigenous), energy and
utilities, information and communications technology, finance, food, health,
water, transportation, safety, and manufacturing; information related to the
well-being of Canadians and the infrastructure lawfully containing it; entities
that support the protection of electronic information and information
infrastructures of importance to the government; multilateral organizations
located in Canada in which the government is a member; registered Canadian
federal, provincial, and territorial political parties and their electronic
information and information infrastructures; and post-secondary educational
institutions.”
More recently, on 17 March 2022, the Minister also
designated the electronic information and networks of the governments of Latvia
and Ukraine.
If an entity designated in a ministerial order requests
cybersecurity support from CSE, the agency then considers how it might respond
and whether it has the resources to do so. To provide services that entail the
collection of data about Canadians or that might otherwise contravene Canadian
laws or implicate the privacy of Canadians, CSE must also obtain an appropriate
MA.
Like CSE’s activities on federal government infrastructure, those
MA-based services probably normally involve deployment of network-, cloud-, and/or host-based sensors,
analysis of the data collected, and recommendation or direct implementation of
mitigation measures.
When CSE received the power to undertake such activities on
non-federal infrastructures in 2019, my initial expectation was that quite a
large number of authorizations would be issued.
But that has proven not to be
the case.
One set of MAs appears to have been issued on a continuing
basis since 2021, probably involving just a single company. This MA, doubtless
with minor annual modifications, has now been issued three times, and it will
likely continue to be issued in the future.
Beyond that set, only three other non-federal
MAs have been issued since 2019, two with the standard one-year validity and
one that expired after just six months. At least one of these MAs seems to have
been issued to deal with a short-term, comparatively urgent situation, after
which the entity that received support was expected to revert to providing for
its own cybersecurity, but some of them may also herald the beginning of a longer-term
relationship.
Details are, as ever, lacking, but there are a few clues
lying about that we can ponder.
According to NSICOP, when the CSE Act was drafted, “the
[non-federal cybersecurity] authority was meant to enable longer-term, more
proactive collaboration with non-federal organizations, particularly
telecommunications companies.” The ongoing set of three MAs probably falls into
this proactive category, which suggests that they may apply to a
telecommunications company. If we had to pick just one such company (these MAs
do seem to apply to just one), it would likely be Bell Canada. That said, if
the issue that arose with the last of these three MAs really did have something
to do with federal government use of cloud infrastructure, it’s possible that a
different kind of company was involved.
Whatever the recipient’s actual industry and identity may
be, CSE’s initial support involved the deployment of host-based sensors.
The other MAs have been more reactive. The first of these
MAs, the six-month special, seems to have been issued to support a Canadian managed
service provider (MSP) that had been compromised by China or some other state
actor. As NSICOP explained it, “In 2019, CSE detected efforts by a state to compromise the
network of a Canadian company. The state was well-known for its sophisticated
attacks against western targets. CSE identified the company as an organization
that provided services to a number of critical infrastructure clients and
formally identified the company as a system of importance to the government,
consistent with the Minister's ministerial order. … CSE informed the company of
the compromise and, in response to its request for assistance, worked with the
company to stop the attack.”
NSICOP also noted that “It took time from when CSE
detected anomalous cyber activities to when it helped the company take
protective measures and obtained ministerial approval to assist. This is not a
criticism: the fact that CSE identified the attack at all is a testament to how
closely it monitors threats to Canada. But such attacks must be addressed
"at the speed of cyber." An advanced threat actor can compromise a
system, steal data or undermine system functionality in a worryingly short
period. The government must continue to consider practical means for CSE to
respond to rapidly emerging cyber threats while ensuring adequate ministerial
control and accountability.”
While this concern was surely valid, it seems likely that in
this case the delay was mainly caused by the company itself: according to NSIRA,
the MA was issued by the minister shortly after the company’s formal request
for assistance was submitted.
This first non-federal MA appears to have been a success
except for one minor glitch: it seems that someone may have forgotten to turn
off the data feed when the MA expired. As NSIRA reported in its 2020 annual report, "In 2019-20, CSE had concerns that it may have received
information outside of a valid MA period, in relation to cybersecurity
activities on a certain type of infrastructure. CSE ultimately notified the
infrastructure owner, purged the inadvertently received information from its
systems in accordance with standard privacy safeguards, and launched a review
of the incident for the purpose of identifying and implementing additional privacy
protection measures. CSE also proactively engaged the Minister of National
Defence and NSIRA for transparency and accountability purposes. NSIRA
appreciates that CSE brought this incident to its attention. NSIRA did not
consider the incident to be of major concern, but view CSE’s proactive and
voluntary notification of the incident as a key success in the NSIRA-CSE
relationship."
The next reactive MA didn’t appear until 8 December 2022,
when a one-year authorization for support to an unnamed client was approved. CSE’s
2022-23 annual report made a brief mention of this instance: “This year, the
Cyber Centre also deployed over 5100 host-based sensors to protect a
non-federal institution that was experiencing a serious cyber incident. This
emergency rollout was authorized by the Minister of National Defence.”
In this case, there seems to have been considerable delay
between the discovery of the compromise and its reporting to CSE. The subsequent
response may have been an “emergency rollout” in CSE’s eyes, but Intelligence
Commissioner Noël commented that “The record does not explain this lapse of
time, which raises some questions regarding the urgency for CSE to provide
[redacted].”
When the government of Nunavut suffered a major ransomware attack
in November 2019, it was forced to disconnect and sanitize or replace its
entire IT infrastructure, comprising more than 5,000 devices. That number is strikingly
similar to the 5,100 host-based sensors deployed by CSE to its unnamed client
three years later, which makes me wonder if Nunavut may have been the client for
the 8 December 2022 MA. However, three years would certainly be a significant “lapse
of time.” If the client was indeed Nunavut, maybe some later incident was the ultimate
catalyst for the deployment.
[Update 28 June 2024: CSE's latest annual report, released on June 25th, reveals that the client was actually a different (but similarly sized) territorial government, that of the Northwest Territories.]
The most recent of the reactive MAs was approved just under
one year later, on 30 November 2023. Unusually, this MA seems to involve more
than one recipient of CSE’s services. The file contains multiple letters of
request, and the MA provides for the deployment of CSE services at an
undisclosed number of client “agencies”. The MA also allows for the onboarding
of additional agencies from the same client (or clients) following notification
of the Minister and the Intelligence Commissioner.
This doesn’t sound like a private company. My guess is that
this MA also involves a provincial or territorial government, conceivably even
more than one. In September 2023, several of those governments suffered a
highly public series of apparently state-sponsored distributed denial of service (DDoS)
attacks that knocked some of their services temporarily off-line. You don’t
need intrusive CSE sensor systems to respond to a DDoS attack, but that event may
have caused one or more of those governments to review their cybersecurity
posture and decide that more comprehensive assistance from the federal
government would be prudent.
It's possible that this MA also incorporates the client from
the 8 December 2022 MA.
If the subject of the 30 November 2023 MA really is a
provincial or territorial government (or more than one), then this MA may turn
out to be one that is renewed year after year rather than a one-time activity.
[Update 28 June 2024: CSE's annual report reveals the identities of these clients as well, disclosing that CSE has begun "the process of deploying sensors on Northwest Territories, Nunavut and Yukon government systems". So, my guesses seem to have been pretty good in this instance, and it seems likely that this MA will indeed be renewed annually.]
Large volumes of information
Either way, the assistance provided was expected to involve
the acquisition of large volumes of information. According to the Intelligence
Commissioner, “although the Minister’s conclusions do not provide details about
the volume of information related to a Canadian or a person in Canada that will
be acquired, they reflect his understanding that there will be large amounts
given that information is acquired from non-federal systems in Canada.”
This expectation, and a rather sweeping assertion by CSE
about what it could do with such data, inspired the Commissioner to address the issue
of information-sharing across the various aspects of CSE’s mandate: “The
Authorization states that “[i]nformation acquired by CSE under one aspect of the
mandate can then be used within CSE to serve other aspects of its mandate, so
long as it is relevant to that aspect and meets any particular requirement of
the CSE Act that may need to be followed, such as applying measures to
protect the privacy of a Canadian or person in Canada.” This is CSE’s position
in all cybersecurity and foreign intelligence ministerial authorizations.”
The Commissioner noted that CSE’s wider uses of such
information could be a factor in determining whether a cybersecurity
authorization is reasonable and proportional: “For example, incidentally acquiring a large quantity of
information, knowing some of it benefits from a reasonable expectation of
privacy and a lot of it will not be assessed as useful, may be reasonable and
proportional on the basis that it is necessary for effective cybersecurity.
However, this conclusion may change if the information is also to be used for
other purposes or other aspects of CSE’s mandate. Canadians may accept that an
email from a grade 12 student to a teacher could be acquired by a non-federal
entity responsible for cybersecurity of the school’s system because of
potential malware. At the same time, Canadians may think the CSE, on behalf of
the federal government, is intruding if that legally acquired email containing
no malware appears in foreign intelligence reporting.”
Somewhat reassuringly, Noël concluded that such sharing is
much more limited in practice than the blanket statement in the authorization might
imply.
In CSE’s internal policies, “any access to and use of
unassessed information acquired pursuant to a cybersecurity authorization must
be “consistent” with the cybersecurity aspect of the mandate.” (Unassessed
information is data that has been collected but has not yet been assessed by a
CSE employee for its essentiality to the cybersecurity purpose specified in the
authorization.)
And even if access to unassessed information were to be granted
for CSE’s other mandates, the CSE Act specifies that information related
to Canadians or persons in Canada cannot be retained or used unless it is itself
deemed essential for the original cybersecurity purpose.
Some such information does get deemed essential, and some of
it does get shared. (And here I would add that the volume of that sharing is
something that CSE absolutely refuses to disclose to the public.) But such
sharing is certainly much more limited than it would be if full access to
unassessed information were provided.
Noël concluded, “The general blanket statement [in the
authorization] purports that CSE has free rein to use all of the information it
acquires for all aspects of its mandate as long as it is relevant to that
aspect. However, the policy framework and CSE’s practices, at least my review
and understanding of them, show that access and use of the unassessed
information in this case is limited and must be consistent with cybersecurity
purposes. In my view, the general statement requires that additional details explaining
these limitations be clearly set out in the record. It is imperative for the
Minister and I to understand how CSE is acting within limits imposed by the
law. I expect that will be the case in future authorizations.”
Where is everybody else?
With just six MAs issued for cybersecurity services on
non-federal infrastructures since CSE obtained the power to offer such services
in 2019, it is evident that only a handful of clients have accessed
CSE’s more intrusive capabilities.
To an extent, this was to be expected: it was always CSE’s intent
that non-federal entities should use their own IT staff, augmented by private
sector cybersecurity services, to look after their own security as much as
possible.
And the scarcity of MA-based activities does not mean that
CSE has abandoned the non-federal sector. CSE provides many kinds of support to
operators of infrastructures of importance that do not require MAs. These range
from public alerts and advisories, to the provision of more targeted and restricted
briefings and data feeds, to the analysis of non-privacy-related data shared by
those infrastructure operators.
The IESO Lighthouse initiative is a good example of data
sharing that does not require an MA.
However, another reason for the low number of MA clients may
be that CSE can only provide those services to clients that have formally
requested them. (This is true also for the specific federal government
departments and agencies supported via CSE’s federal cybersecurity
authorizations, but in that case there is a strong push within the government to
ensure such requests do get made.)
As the extensive list in the 25 August 2020 ministerial
order indicates, Canada depends on a lot of different kinds of critical
infrastructure, and hostile or potentially hostile states are known to be poking
around in that infrastructure to lay the groundwork for potentially disrupting
or damaging parts of it in the event of conflict. That infrastructure is also
vulnerable to attacks by non-state actors for criminal purposes, such as
ransomware, or other causes.
To better protect against those threats, Bill C-26,
which is currently before parliament, would enable the government to mandate
the implementation of specific cybersecurity programs and practices across several
of the most important critical infrastructure sectors.
Most of those measures presumably would not require the
direct participation of CSE. But if the law is passed, it is possible that we will
also see an increase in the number of non-federal cybersecurity MAs issued, with
the current voluntary arrangements augmented in some cases by mandated, more proactive,
deployments of CSE’s monitoring and mitigation systems.
[Update 7 June 2024: It's worth adding that Citizen Lab and others have expressed serious concerns about some aspects of Bill C-26. See, for example, Kate Robertson and Ron Deibert, "Ottawa wants the power to create secret backdoors in our networks to allow for surveillance," Globe and Mail, 29 May 2024.]
CONCLUSIONS
Five years into CSE’s new foreign intelligence and
cybersecurity ministerial authorization regime, some patterns are becoming
clear.
The Intelligence Commissioners have done important work to
establish the necessary documentary record, systematize the MA process, and
clarify both the key issues that the Minister of National Defence must address
when issuing authorizations and the bases on which the Intelligence
Commissioners will assess the reasonableness of the Minister’s conclusions.
That work is still in progress, but it is likely that all sides have an
increasingly clear shared understanding of how this process works in practice.
For foreign intelligence MAs, the system seems to have picked
up pretty much where the previous regime left off. The few occasions when
Commissioners have declined to approve part of an MA have mostly been about
dialing back CSE’s flexibility to go beyond the range of activities specified
in the MA without further explicit approval from the minister.
However, there does appear to be at least one substantive issue that
has been of continuing concern both to the Intelligence Commissioners and to
NSIRA. Redactions prevent us from knowing the exact nature of the
issue (or issues) of contention, but one area of concern may be how far CSE can
go in its interactions with foreign individuals when pursuing its intelligence
collection mission.
The annual cybersecurity MA for federal government
infrastructure has also been running pretty smoothly, with only one MA having been less
than fully approved. That hiccup may have concerned the status of federal cloud
storage provided by private sector infrastructure. Whatever the subject was, it resulted
in some testy comments from Commissioner Noël when CSE decided to go ahead and
do it anyway.
We are also starting to get a clearer picture of how the
new non-federal cybersecurity MAs work in practice. CSE provides cybersecurity
advice, guidance, and services to non-federal entities in multiple ways, but
the provision of services that require MAs has been low, with only six MAs issued
since 2019. Some of the more recent MAs may reflect the extension of cybersecurity
services to one or more provincial and/or territorial governments. [Update 28 June 2024: CSE confirms that it has begun deploying sensors on the IT systems of the governments of the Northwest Territories, Nunavut, and the Yukon.] Another set
of MAs may pertain to a telecommunications company or an IT services provider.
It
will be interesting to see if there is an increase in the number of private
sector clients for services requiring MAs if Bill C-26 is passed.
Analysis of the post-2019 MA regime is handicapped by the pervasive secrecy that CSE applies even to activities that, in general terms, the agency is well known to conduct. Like NSIRA and NSICOP, the Intelligence Commissioners have pushed back against CSE's reflexive refusal to make even basic information public, which undermines both understanding of the agency's mission and confidence that its actions are legal and appropriate. The Commissioners and their colleagues are making some progress in that regard, but if all the guessing and hedging and identifying of unanswered questions you've just read are any guide, there's still a long way left to go.
Update 5 June 2024: See also this addendum to my comments on the 2023 annual report.