Sunday, June 19, 2022

NSIRA report on Avoiding Complicity in Mistreatment by Foreign Entities

On May 19th, NSIRA released the declassified version of its Review of Departmental Frameworks for Avoiding Complicity in Mistreatment by Foreign Entities (NSIRA Review 2019-06). Ministerial directions were issued to a number of Canadian departments and agencies in 2011 and, later, in 2017 on managing the risks of information sharing with other countries; these MDs were subsequently replaced by the provisions of the Avoiding Complicity in Mistreatment by Foreign Entities Act in 2019. NSIRA's review looked specifically at the actions taken by the six departments and agencies that received the 2017 MD, including CSE, which unsurprisingly is the agency I'm going to focus on here.

CSE comes out looking good in this report. While NSIRA noted deficiencies in the way many of the six organizations handled this issue and made a series of recommendations applicable to all of them, CSE was broadly seen as having done well in meeting its obligations.

I have to say I don't find this result greatly surprising, as two and a half decades of review by OCSEC and now NSIRA have made CSE highly conscious of the importance of ensuring that ministerial directions and other legal requirements are clearly reflected in internal policies and procedures and that compliance with those policies and procedures is effectively monitored and documented.

(This is not to suggest that reviews no longer find matters of this kind — they're still among the most common issues raised by CSE's watchdogs. But the agency has come a long way over the years in aligning its policy regime and paperwork with actual existing practice.)

What I mostly want to highlight about this report is not compliance questions, but the evidence it provides of the long way CSE has yet to go on the transparency front.

Let's look specifically at page 22 of NSIRA's report, where the annex related to CSE begins. 

 For reasons mysterious to me, CSE evidently insisted on redacting the following non-secrets: 


● that CSE's process under the 2011 Ministerial Directive excluded review of normal information-sharing with the Five Eyes;


● that prior to 2017, CSE's ITS (i.e., cyber) side and its SIGINT side each conducted Mistreatment Risk Assessments (MRAs); 


● that the Corporate and Operational Policy Section of CSE, which now performs these assessments for the entire agency, is or at least was known internally by the alphanumeric designator D2 (and, more specifically, the sub-unit responsible was D2A);


● and that the CSE branch that contains D2 is Policy and Communications, under the direction of the Deputy Chief, Policy and Communications (DC PC) (listed as Director General, Policy and Communications (DG PC) in the out-of-date chart shown below).


Was it really necessary for CSE to insist on redacting all that information from NSIRA's report? If it was, then maybe they shouldn't have revealed it all already.


Something useful is learned

Happily, it's not all blank spaces and black holes.

On the useful information front, I've wondered for some time how CSE finessed the Five Eyes issue in the years since the 2017 Ministerial Directive appeared, since that version and the subsequent 2019 Avoiding Complicity Act contain no Five Eyes exception. 

Here the report is actually quite helpful. Although it doesn't make the Five Eyes connection explicit, the report reveals that CSE does two types of mistreatment risk assessment: case-specific ones and annual ones, the latter of which are "used to exclude countries from the normal MRA process".

I don't think there's much question which countries' boxes get ticked every year for that.