Sunday, July 28, 2019

CSE Act comes into force 1 August 2019

The Communications Security Establishment Act (CSE Act) comes into force on the 1st of August (see Order in Council 2019-1091). The Act modifies CSE's powers in a number of significant ways, most notably mandating it to conduct computer network attack operations for both defensive and offensive purposes.

The new Act, Part 3 of Bill C-59, replaces Part V.1 of the National Defence Act, which was CSE's original statutory mandate, enacted as part of Bill C-36 in December 2001. That original statute enshrined in law the three-part mandate that CSE was already operating under based on classified directives, authorizing A) the production of signals intelligence (SIGINT) for foreign intelligence purposes; B) the protection of Canadian government communications and information technology systems and other systems "of importance to" the government of Canada; and C) the provision of operational and technical assistance to federal law enforcement and security agencies.

It also created a ministerial authorization regime that made it legal for the agency to undertake Part A and B activities that resulted in the interception of "private communications" as long those activities were not directed at persons in Canada or Canadians anywhere. This change was essential to enable CSE to process Internet-based communications. The statute also opened the way for CSE to engage in hacking, or computer network exploitation (CNE), operations.

The new CSE Act now coming into force adds a fourth part, informally referred to as Part D, to CSE's mandate: the conduct of computer network attack (CNA) operations against foreign targets, both "defensive cyber operations" to protect IT infrastructures of importance to Canada and "active cyber operations" to advance Canadian interests in general. Such operations will also be possible through Part C of CSE's mandate in support of the Canadian Forces/Department of National Defence, using CF/DND legal authorities, and were already possible in support of CSIS "threat disruption" activities, based on CSIS authorities.

This CSE chart (modified by me to add the mandate letters) shows the four parts of the agency's mandate under the CSE Act. Note, however, that the graphic's description of active cyber operations ("interfere with foreign online efforts that threaten Canada"), while possibly correct when such operations were restricted to support for CSIS, is much more limited than what is actually permitted by the CSE Act ("degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security").

The active element of the Part D mandate changes CSE from a traditional SIGINT and IT security agency into a cyber covert action agency as well. As I and others have argued, this is a watershed moment in CSE's history, and care needs to be taken to use this new capability responsibly and ensure that Canada is not contributing to the foreclosure of options for a more stable and secure cyberspace commons. I think we would come to regret the latter result.

That said, it is probably true that development of a certain level of such capabilities is an inevitable evolution, and it may be that keeping them (largely) inside CSE will act as a damper on how frequent or widespread their offensive use by Canada becomes. The powerful SIGINT side of the agency will not want to see hard-earned intelligence accesses burned in the name of ephemeral gains or marginal matters. Protection of SIGINT accesses and sources has been the Prime Directive of the SIGINT agency ethos since signals intelligence began, and I suspect it is hard-coded into most of the people who work there, including notably career SIGINTer Shelly Bruce, the current Chief.

Foreign Intelligence and Cybersecurity Authorizations

The CSE Act also broadens the ministerial authorization regime to cover almost all information acquired by CSE. Other than publicly available information that doesn't include information for which a Canadian or a person in Canada has a reasonable expectation of privacy, CSE will not be permitted to acquire any information unless an applicable Foreign Intelligence or Cybersecurity Authorization has been issued by the Minister.

Moreover, a quasi-judicial oversight official called the Intelligence Commissioner (IC) will now have to approve each authorization in order for it to become valid. This new office, which will also oversee certain datasets for CSIS, was created by Part Two of Bill C-59. The position is now occupied by Jean-Pierre Plouffe, who was the CSE Commissioner until that office was disestablished, also by C-59.

A minor amendment proposed by the Senate would have empowered the Intelligence Commissioner to provide suggestions on how to modify a Foreign Intelligence or Cybersecurity authorization in cases where the original version was rejected by the Commissioner, but this amendment was rejected by the government and was not included in the final version of the bill.

The creation of the Intelligence Commissioner's office is significant in that it marks the first time CSE has been made directly subject to external oversight, as opposed to external review. (See here for a description of the difference between oversight and review in official Canadian parlance.)

Credit for this development probably goes mostly to the British Columbia Civil Liberties Association, which in 2013 took the federal government to court, arguing that CSE's collection of Canadian-related communications and metadata in the absence of any form of judicial authorization violated the Charter rights of Canadians. That case is still inching its way through the Federal Court, and the government evidently hopes that creation of the Intelligence Commissioner position has placed the legality of CSE's operations on a sounder footing.

National Security and Intelligence Review Agency

Bill C-59 also created a new National Security and Intelligence Review Agency (NSIRA) that replaces SIRC and the CSE Commissioner for reviewing the activities of CSIS and CSE. It will also review the national security and intelligence activities of other departments and agencies of the government, including the RCMP, the Canada Border Services Agency, the Department of National Defence, Global Affairs Canada, and the Department of Justice.

With the creation of NSIRA, the Office of the Intelligence Commissioner, and, in 2017, the National Security and Intelligence Committee of Parliamentarians (NSICOP), the review and oversight structures monitoring the Canadian intelligence community have been entirely revamped and significantly expanded.

The government has given NSIRA a very promising start by appointing retiring MP and NSICOP member Murray Rankin, law professor Craig Forcese, and the four remaining members of SIRC as the initial members of NSIRA. Forcese's work on national security law issues over the last several years has been exemplary, and I have no doubt that he will do an excellent job. Although a strong supporter of most aspects of C-59 during the two-year debate over the bill, he was in no way an uncritical cheerleader. Among other issues, Forcese made a particular point of warning parliament that the CSE Act's silence on international law could end up gutting the agency's newly created cyber operations powers:
[U]nless you amend bill C-59, you can... kiss those defensive and active cyber powers away. Unless, that is, you just want to plow ahead and see what the Intelligence Commissioner, the new National Security and Intelligence Review Agency, and the National Security and Intelligence Committee of Parliamentarians have to say about this issue. This, in my view, would be insane, since a quick flick of the legislative pen could cure this problem for you, CSE.
(See Does CSE risk a Re X moment? for more details.)

The government ignored Forcese on this point and passed the cyber powers provisions unamended. It will be interesting to see what happens if NSIRA does take up the question now that Forcese is on the committee.


Another notable development, courtesy of s.59 of the CSE Act, is that CSE will now be obligated to "publish an annual report" within three months of the end of each fiscal year (i.e., before July 1st). The Act doesn't actually state that this report must be made public, but that's probably considered implicit in the word "publish". In any case, there doesn't seem to be any doubt that the agency will indeed be producing a public annual report.

What remains to be seen is how informative the new annual report will be. The Act doesn't provide any details about the contents of the report except that it must cover CSE's "activities during that fiscal year".

In several ways, CSE has become significantly less transparent since it became a stand-alone agency in November 2011. Let's hope the annual report not only reverses that trend, but sets a new standard perceptibly above what the agency considered acceptable for release just eight years ago.

[Narrator: The trend was not reversed.]

Another potentially good bit of news on the transparency front was the government's appointment earlier this month of an 11-member National Security Transparency Advisory Group (NS-TAG). The mandate of the new committee is to advise the government how to:
  • Infuse transparency into Canada's national security policies, programs, best practices, and activities in a way that will increase democratic accountability;
  • Increase public awareness, engagement, and access to national security and related intelligence information;
  • Promote transparency while ensuring the safety and security of Canadians.
Godspeed on that!

All in all, there are some big changes now underway in CSE and the wider Canadian intelligence community thanks to the passage of C-59, and the potential for additional important changes is at least on the horizon.

Update 6 August 2019:

Some earlier news reporting/commentary featuring Public Safety Minister Ralph Goodale's sadly mistaken comments on CSE cyber powers...

Rachel Emmanuel, "New law says security agencies can launch cyber-counterattacks to foreign threats," Globe and Mail, 19 June 2019.

...and Tim McSorley's commentary in response:

Tim McSorley, "Who reviews cyber attacks in Canada? We need answers." Medium, 26 June 2019.

The bottom line here is that Goodale, if he was quoted correctly (and it appears he was), was deeply confused about the role, or more precisely the lack thereof, of the Intelligence Commissioner.

CSE is not his direct responsibility—that's Defence Minister Sajjan's job—but senior ministers on the security and intelligence file should not be making mistakes as basic as this. He's normally a very capable minister, so I expect this was just a temporary lapse.