Published by The Lawfare Institute
in Cooperation With
Canada is going on the attack—at least in cyberspace. As Canada undergoes the most comprehensive national security legislation reform in over three decades, one of the most notable proposed changes in the sweeping Bill C-59 would empower Canada’s signals intelligence agency, the Communications Security Establishment (CSE), to engage in offensive cyber operations.
CSE is the Canadian equivalent of the National Security Agency or the U.K. General Communications Headquarters (GCHQ). The shift toward CSE’s engagement in so-called “active cyber,” responds to at least two trends. First, Canadian national security officials will say incidents such as the 2013 Snowden leaks underscore a need for more independent Canadian capacity to collect and act upon intelligence. This sentiment seems likely to have increased, given the rocky relations between the Trump administration and its own intelligence and national security services. Canada has traditionally been an intelligence consumer within the so-called “Five Eyes” intelligence sharing partnership with Australia, New Zealand, the United Kingdom and the United States—that is, the country has taken in more intelligence than it has given back. While it is unlikely that Canada will ever be entirely self-reliant, officials feel that a more independent capacity to act is necessary.
Second, Canada is responding to the rising prominence of threat-related cyber activity (attacks, espionage, crime and clandestine influence campaigns). Canadians and the Canadian government have suffered numerous cyber-incidents in recent years, some of which cost “hundreds of millions of dollars”. Given the uncertain international environment, and reports of hostile actors infiltrating critical infrastructure, bolstering Canada’s independent cyber capabilities makes sense.
Importantly, the tilt towards “active cyber” operations comes at the same time as reform of the government’s cybersecurity posture. Canada’s current strategy was created in 2010 and is widely considered to be out of date. While we do not yet know what the new cyber-strategy will look like, the 2018 Federal Budget anticipates two new centers: a National Cybercrime Coordination Unit within the Royal Canadian Mounted Police and a Canadian Centre for Cyber Security housed within the CSE (and modeled off of the U.K.’s National Cyber Security Centre within GCHQ) and acting as a place where the private and public sector can go for help and advice.
But defending critical infrastructure (what the proposed legislation calls “defensive cyber”) is one thing. “Active cyber”—seeking to prevent threats before they reach Canadian (and possibly allied) targets—is another. The proposed legislation takes Canada down a new path in which the civilian CSE could play a more advanced role, with the approval of the ministers of defence and foreign affairs. Specifically, the legislation allows the CSE to “carry out activities on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.”
This mandate faces constraints—including a prohibition on the intentional or criminally negligent infliction of death or bodily harm, and any willful attempt to “obstruct, pervert or defeat the course of justice or democracy.” Further, these operations are subject to (after-the-fact) review from by the National Security and Intelligence Committee of Parliamentarians and a new National Security and Intelligence Review Agency.
The good news for Canada’s allies is that these activities mean that Canada will be able to play a more robust role in protecting itself and its allies—and increase its overall contributions to western security arrangements. Allied foreign diplomats in Ottawa have privately welcomed this prospect.
However, by going down this path, Canada faces the same challenges as its close allies. Four issues are particularly worth discussing.
First, what will be the legal status of civilian CSE employees that engage in active cyber operations (or assistance to the Canadian Armed Forces) that may constitute participation in an armed conflict (or something close to it)? Privately, national security leaders in Canada acknowledge they have been grappling with this question. But will CSE employees receive training in the laws of war like their Department of National Defence counterparts—or will it be assumed that any operation raising such questions will be under defense leadership anyway? And if that is the case, will CSE employees be made aware of provisions regarding targeting or refusing to obey an unlawful order?
Second, some civil society groups have questioned whether or not these operations will protect the privacy of Canadians. They argue the nature of the global information infrastructure means that Canadian information is very often not being held in Canada. In their view, active cyber operations could therefore collect data in a way that could violate the right to privacy—or conceivably other rights—enshrined in the Charter of Rights and Freedoms, the Canadian equivalent to the U.S. Bill of Rights. These groups have proposed requiring an independent judicial official approve all active cyber operations to prevent this from happening.
While the concern about rights is legitimate, there are two problems with this proposed solution. Without going too much into the details about how the separation of powers functions in Canada, suffice to say that the authority to use force rests with the prime minister’s cabinet (it is a “Crown Prerogative”—essentially an executive power). Unlike the U.S. system, there are few, if any, checks on this power. To subject the decision to use force to judicial scrutiny would be an unusual innovation, which raises the question: Why require this for cyber operations and not for more classic uses of force? It is also not clear that a judicial official would be sufficiently equipped with training or expertise to contribute much to an active cyber approval process, especially since CSE intelligence collection activities judges will be more comfortable reviewing are already carved off into a separate, quasi-judicial approval regime.
Third, and more broadly, some analysts warn that by taking part in active an cyber operation, Canada would be contributing to an arms race in cyberspace. At a time when even the head of the U.S. Department of Homeland Security is calling for the establishment of cyber norms, this is an important point. Diplomacy, negotiations and international laws are and will continue to be fundamental to online governance, even if they are weak relative to domestic laws. Nevertheless, there can be such a thing as too much dependence on nascent rules: Canadians expect their government to be able to protect them from cyber-attack and a certain level of online harm.
The bottom line: Active cyber represents considerable change for the CSE.
Bill Robinson, one of Canada’s leading non-governmental CSE watchers, notes that CSE (or at least its predecessors) were created to passively collect signals intelligence through the airwaves and cables and to keep the Canadian government’s information safe. In 2001, the CSE was formally given an assistance mandate allowing it to help national security agencies protect the country. With C-59, now the CSE may engage in what could amount to direct participation in hostilities. Considering the scope of the legislation, it is striking that there has been little to no public debate about these significant changes.
Nevertheless, the good news is that Canada’s robust relationship with its Five Eyes partners means it has friends with whom it can share advice and best practices going forward. Indeed, it is likely those friends will have to.