Watchdog calls out 'gaps' in how Canada conducted online intelligence operations
Canada's electronic spies have overlooked "several gaps" in how they con‐ ducted their activities on‐ line, according to a re‐ cently released review from one of the country's intelligence watchdogs.
The National Security and Intelligence Review Agency (NSIRA) released a report Tuesday following its investi‐ gation into how the Commu‐ nications Security Establish‐ ment (CSE) - using relatively new powers bestowed on it in 2019 - runs active and de‐ fensive cyber operations.
Defensive operations are meant to stop foreign cyber threats from harming federal government networks or oth‐ er important Canadian sys‐ tems, like power grids.
Active operations allow CSE to limit an adversary's ability to affect Canada's in‐ ternational relations, defence or security. As an example of an active operation, the agency cites preventing a for‐ eign terrorist group from communicating or planning attacks by disabling their communication devices.
NSIRA, the watchdog set up to monitor the activities of Canada's national security and intelligence sector, says in its latest report that it wan‐ ted to assess whether CSE was appropriately consider‐ ing its legal obligations and the foreign policy impacts of its first operations. It also re‐ viewed Global Affairs
Canada's (GAC) role in con‐ senting to operations.
The review body ap‐ plauded CSE for setting up a comprehensive structure to administer the new powers but concluded that "CSE and GAC have not sufficiently considered several gaps."
"The gaps observed by NSIRA are those that, if left unaddressed, could carry
risks," says the redacted report.
In order to run a cyber op‐ eration, CSE needs the minis‐ ter of defence to issue a min‐ isterial authorization. That re‐ quires consultation with, or consent from, the minister of foreign affairs, depending on the nature of the operation.
NSIRA, made up of people with expertise in national se‐ curity, policy, technology, law, civil liberties and human rights, found CSE's applica‐ tions don't offer enough de‐ tail to give the ministers a sense of the scope of their plans.
"It is important that CSE heavily does not conduct activities that were not envisioned or authorized by either the Min‐ ister of National Defence or the Minister of Foreign Af‐ fairs," says the report.
Cyberspace law is evolv‐ ing and needs attention: NSIRA
The review body also ques‐ tioned how CSE justifies some of its applications.
The report says opera‐ tions are meant to "align with Canada's foreign policy and respond to national security, foreign, and defence policy priorities as articulated by the government of Canada." But NSIRA said that, as it dug into its review, "it emerged that CSE confirms compli‐ ance with these requiremen‐ ts with a statement that the ministerial authorization meets broader government of Canada priorities, with no elaboration of how these pri‐ orities are met."
The review body also raised concerns about how CSE and GAC consider Canada's international oblig‐ ations when approving on‐ line operations. The review found the two departments have not come up with a way to assess whether such oper‐ ations comply with Canada's obligations under interna‐ tional law.
"NSIRA notes that interna‐ tional law in cyberspace is a developing area, and recog‐ nizes that Canada and other states are continuing to de‐ velop and refine their legal analysis in this field," says the report.
"[Active and defensive] ac‐ tivities conducted without a thorough and documented assessment of an operation's compliance with internation‐ al law would create signifi‐ cant legal risks for Canada if an operation violates interna‐ tional law."
The intelligence watchdog says it will follow up on some of it concerns as it continues to review CSE's online opera‐ tions.
In a statement, CSE said it has implemented all the agreed upon recommenda‐ tions.
"CSE and GAC will contin‐ ue to work together to en‐ sure that the framework gov‐ erning active and defensive cyber operations evolves over time as needed," said the statement.
"Importantly, since the time of this review, Canada has published an analysis of International Law Applicable in Cyberspace, and CSE's Ac‐ tive and Defensive Cyber Op‐ erations are conducted in ac‐ cordance with this state‐ ment."