Watchdog calls out 'gaps' in how Canada conducted online intelligence operations

An IBM employee participates in a training exercise in IBM's X-Force Command C-TOC, a mobile Cyber Tactical Operations Center, in the Brooklyn borough of New York, U.S. (Brendan McDermid/Reuters - image credit)
An IBM employee participates in a training exercise in IBM's X-Force Command C-TOC, a mobile Cyber Tactical Operations Center, in the Brooklyn borough of New York, U.S. (Brendan McDermid/Reuters - image credit)

Canada's electronic spies have overlooked "several gaps" in how they conducted their activities online, according to a recently released review from one of the country's intelligence watchdogs.

The National Security and Intelligence Review Agency (NSIRA) released a report Tuesday following its investigation into how the Communications Security Establishment (CSE) — using relatively new powers bestowed on it in 2019 — runs active and defensive cyber operations.

Defensive operations are meant to stop foreign cyber threats from harming federal government networks or other important Canadian systems, like power grids.

Active operations allow CSE to limit an adversary's ability to affect Canada's international relations, defence or security. As an example of an active operation, the agency cites preventing a foreign terrorist group from communicating or planning attacks by disabling their communication devices.

NSIRA, the watchdog set up to monitor the activities of Canada's national security and intelligence sector, says in its latest report that it wanted to assess whether CSE was appropriately considering its legal obligations and the foreign policy impacts of its first operations. It also reviewed Global Affairs Canada's (GAC) role in consenting to operations.

The review body applauded CSE for setting up a comprehensive structure to administer the new powers but concluded that "CSE and GAC have not sufficiently considered several gaps."

"The gaps observed by NSIRA are those that, if left unaddressed, could carry risks," says the heavily redacted report.

In order to run a cyber operation, CSE needs the minister of defence to issue a ministerial authorization. That requires consultation with, or consent from, the minister of foreign affairs, depending on the nature of the operation.

NSIRA, made up of people with expertise in national security, policy, technology, law, civil liberties and human rights, found CSE's applications don't offer enough detail to give the ministers a sense of the scope of their plans.

"It is important that CSE does not conduct activities that were not envisioned or authorized by either the Minister of National Defence or the Minister of Foreign Affairs," says the report.

Cyberspace law is evolving and needs attention: NSIRA

The review body also questioned how CSE justifies some of its applications.

The report says operations are meant to "align with Canada's foreign policy and respond to national security, foreign, and defence policy priorities as articulated by the government of Canada." But NSIRA said that, as it dug into its review, "it emerged that CSE confirms compliance with these requirements with a statement that the ministerial authorization meets broader government of Canada priorities, with no elaboration of how these priorities are met."

The review body also raised concerns about how CSE and GAC consider Canada's international obligations when approving online operations. The review found the two departments have not come up with a way to assess whether such operations comply with Canada's obligations under international law.

The new Communications Security Establishment Canada (CSEC) complex is pictured in Ottawa on October 15, 2013. The federal cybersecurity centre says foreign countries are very likely to try to advance their agendas in 2019 -- a general election year -- by manipulating Canadian opinion through malicious online activity. In a report today, the Canadian Centre for Cyber Security warns that state-sponsored players can conduct sophisticated influence operations by posing as legitimate users.

The Communications Security Establishment Canada (CSEC) complex in Ottawa. (Sean Kilpatrick/Canadian Press)

"NSIRA notes that international law in cyberspace is a developing area, and recognizes that Canada and other states are continuing to develop and refine their legal analysis in this field," says the report.

"[Active and defensive] activities conducted without a thorough and documented assessment of an operation's compliance with international law would create significant legal risks for Canada if an operation violates international law."

The intelligence watchdog says it will follow up on some of it concerns as it continues to review CSE's online operations.

In a statement, CSE said it has implemented all the agreed upon recommendations.

"CSE and GAC will continue to work together to ensure that the framework governing active and defensive cyber operations evolves over time as needed," said the statement.

"Importantly, since the time of this review, Canada has published an analysis of International Law Applicable in Cyberspace, and CSE's Active and Defensive Cyber Operations are conducted in accordance with this statement."