Language selection

Government of Canada / Gouvernement du Canada

Search

Category: No-Index

Communications Security Establishment’s Governance of Active and Defensive Cyber Operations: Report

Communications Security Establishment’s Governance of Active and Defensive Cyber Operations

Report

Date of Publishing:

Executive Summary

The CSE Act provided CSE with the authority to conduct Active and Defensive Cyber Operations (ACO/DCO). As defined by the Act, a DCO stops or impedes foreign cyber threats from Canadian federal government networks or systems deemed by the Minister of National Defence (MND) as important to Canada. On the other hand, ACOs intend to limit an adversary’s ability to affect Canada’s international relations, defence, or security. ACO/DCOs are authorized by Ministerial Authorizations (MA) and, due to the potential impact on Canadian foreign policy, require the Minister of Foreign Affairs (MFA) to either consent or be consulted on ACO and DCO MAs respectively.

In this review, NSIRA set out to assess the governance framework that guides the conduct of ACO-DCOs, and to assess if CSE appropriately considered its legal obligations and the foreign policy impacts of operations. NSIRA analyzed policies and procedures, governance and operational documentation, and correspondence within and between CSE and GAC. The review began with the earliest available materials pertaining to ACO/DCOs and ended concurrently with the validity period of the first ACO/DCO Ministerial Authorizations.

NSIRA incorporated GAC into this review given its key role in the ACO/DCO governance structure arising from the legislated requirement for the role of the MFA in relation to the MAs. As a result, NSIRA was able to gain an understanding of the governance and accountability structures in place for these activities by obtaining unique perspectives from the two departments on their respective roles and responsibilities.

The novelty of these powers required CSE to develop new mechanisms and processes while also considering new legal authorities and boundaries. NSIRA found that considerable work has been conducted in building the ACO/DCO governance structure by both CSE and GAC. In this context, NSIRA has found that some aspects of the governance of can be improved by making them more transparent and clear.

Specifically, NSIRA found that CSE can improve the level of detail provided to all parties involved in the decision-making and governance of ACO/DCOs, within documents such as the MAs authorizing these activities and the operational plans that are in place to govern their execution. Additionally, NSIRA found that CSE and GAC have not sufficiently considered several gaps identified in this review, and recommended improvements relating to:

  • The need to engage other departments to ensure an operation’s alignment with broader Government of Canada priorities,
  • The lack of a threshold demarcating an ACO and a pre-emptive DCO,
  • The need to assess each operation’s compliance with international law, and
  • The need for bilateral communication of newly acquired information that is relevant to the risk level of an operation.

The gaps observed by NSIRA are those that, if left unaddressed, could carry risks. For instance, the broad and generalized nature of the classes of activities, techniques, and targets [**redacted**] ACO/DCOs can capture unintended [**redacted**] activities and targets. Additionally, given the difference in the required engagement of GAC in ACOs and DCOs, misclassifying what is truly an ACO as a pre-emptive DCO could result in a heightened risk to Canada’s international relations through the insufficient engagement of GAC.

While this review focused on the governance structures at play in relation to ACO/DCOs, of even greater importance is how these structures are implemented, and followed, in practice. We have made several observations about the information contained within the governance documents developed to date, and will subsequently assess how they are put into practice as part of our forthcoming review of ACO/DCOs.

The information provided by CSE has not been independently verified by NSIRA. Work is underway to establish effective policies and best practices for the independent verification of various kinds of information, in keeping with NSIRA’s commitment to a ‘trust but verify’ approach.

Authorities

This review was conducted pursuant to paragraphs 8(1)(a) and 8(1)(b) of the National Security and Intelligence Review Agency (NSIRA) Act.

Introduction

Review background and methodology

With the coming into force of the CSE Act on August 1, 2019, CSE received the authority to independently conduct Active and Defensive Cyber Operations (“Active and Defensive Cyber Operations,” or ACO/DCOs henceforth) for the first time. While initial briefings on the subject in late fall of 2019 conveyed to NSIRA [**relates to CSE operations**] CSE later explained that [**redacted**].In this context, NSIRA will be assessing ACO/DCOs in a staged approach. The objective of this review is to better understand CSE’s development of a governance structure for ACO/DCOs. NSIRA will follow up with a subsequent review of the operations. This subsequent review is underway, with completion expected in 2022.

This review pertained to the structures put in place by CSE to govern the conduct of ACO/DCOs. Governance in this context can pertain to the establishment of processes to guide and manage planning, inter-departmental engagement, compliance, training, monitoring, and other overarching issues that affect the conduct of ACO/DCOs. NSIRA recognizes that these structures may be revised over time based on lessons learned from operations. Canada’s allies, who have had similar powers to conduct cyber operations for many years, [**relates to foreign partners’ capabilities**]. In this context, as its objectives, NSIRA sought out to determine if, in developing a governance structure for ACO/DCOs at this early stage, CSE appropriately considered and defined its legal obligations, and the foreign policy and operational components of ACO/DCOs.

As part of this governance review, NSIRA assessed policies, procedures, governance and operational planning documents, risk assessments, and correspondence between CSE and GAC (whose key role in this process is described below). NSIRA reviewed the earliest available materials relating to the development of the ACO/DCO governance structure, with the review period ending concurrent with the validity period of the first ACO/DCO Ministerial Authorizations on August 24, 2020. As such, the findings and recommendations made throughout this report pertain to the governance structure as it was presented during the period of review.

What are Active and Defensive Cyber Operations?

As defined in the CSE Act, Defensive Cyber Operations (DCOs) are those that stop or impede foreign cyber threats before they reach Canadian federal government systems or networks and systems designated by the Minister of National Defence (MND) as being of importance to Canada, such as Canada’s critical infrastructures and registered political parties. Active Cyber Operations (ACOs), on the other hand, allow the government to use CSE’s online capabilities to undertake a range of activities in cyberspace that limit an adversary’s ability to negatively impact Canada’s international relations, defence, or security, without their knowledge or consent. ACOs can include, for example, activities that disable communications devices used by a foreign terrorist network to communicate or plan attacks. The impacts of ACO/DCOs, [**relates to CSE operations**] of an ACO/DCO.

To conduct ACO/DCOs, CSE relies on its existing access to the global information infrastructure (GII), foreign intelligence expertise, and domestic and international partnerships to obtain relevant intelligence to support the informed development of ACO/DCOs. Activities conducted under CSE’s foreign intelligence and cybersecurity mandates allow CSE to gather information related to the intent, plans, and activities of actors seeking to disrupt or harm Canadian interests. According to CSE, the preliminary gathering of intelligence, capability development, [**redacted**] comprises the majority of the work necessary to conduct an ACO/DCO whereas the resulting activity in cyberspace is considered to be [**redacted**] of the task.

Legal foundation for conducting cyber operations

The CSE Act provides the legal authority for CSE to conduct ACO/DCOs, and these aspects of the mandate are described in the Act as per Figure 1. The ministerial authorization regime in the CSE Act provides CSE with the authority to conduct the activities or classes of activities listed in section 31 of the CSE Act in furtherance of the ACO/DCO aspects.

Defensive Cyber Operations (DCOs)

  • Section 18 of the CSE Act
  • The defensive cyber operations aspect of the Establishment’s mandate is to carry out activities on or through the global information infrastructure to help protect
    • (a) federal institutions’ electronic information and information infrastructures; and
    • (b) electronic information and information infrastructures designated … as being of importance to the Government of Canada.

Active Cyber Operations (ACOs)

  • Section 19 of the CSE Act
  • The active cyber operations aspect of the Establishment’s mandate is to carry out activities on or through the global information infrastructure to degrade, disrupt, influence, respond to, or interfere with the capabilities, intentions, or activities of a foreign individual, state, organization, or terrorist group as they relate to international affairs defence or security.

Importantly, the Act limits ACO/DCOs in that they cannot be directed at Canadians or any person in Canada and cannot infringe on the Charter of Rights and Freedoms; nor can they be directed at any portion of the GII within Canada.

ACO/DCOs must be conducted under a Ministerial Authorization (MA) issued by the MND under subsection 29(1) (DCO) or under subsection 30(1) (ACO) of the CSE Act.  ACO/DCO MAs permit CSE to conduct ACO/DCO activities despite any other Act of Parliament or of any foreign state. In order to issue an MA, the MND must conclude that there are reasonable grounds to believe that any activity is reasonable and proportionate, and must also conclude that the objective of the cyber operation could not reasonably be achieved by other means. In addition, the MND must consult with the Minister of Foreign Affairs (MFA) in order to issue DCO MAs, and must obtain the MFA’s consent in order to issue ACO MAs. Any authorized ACO/DCO activities cannot cause, intentionally or by criminal negligence, death or bodily harm to an individual; or willfully attempt in any manner to obstruct, pervert, or defeat the course of justice or democracy. Importantly, unlike the MAs issued under the foreign intelligence, and cybersecurity and information assurance aspects of CSE’s mandate, ACO and DCO MAs are not subject to approval by the Intelligence Commissioner.

In addition to the ACO/DCO aspects of its mandate, CSE may also conduct ACO/DCO activities through technical and operational assistance to other Government of Canada (GC) departments. CSE may assist federal law enforcement and security agencies (LESAs) for purposes such as preventing criminal activity, reducing threats to the security of Canada, and supporting GC- authorized military missions. When providing assistance, CSE operates entirely within the legal authorities and associated limitations of the department requesting the assistance. Similarly, persons acting on CSE’s behalf also benefit from the same exemptions, protections and immunities as persons acting on behalf of the requesting LESAs. These assistance activities will be reviewed in subsequent NSIRA reviews.

In addition to the CSE Act, international law forms part of the legal framework in which ACO/DCO activities are conducted. Customary international law is binding on CSE’s activities, as Canadian law automatically adopts customary international law through the common law, unless there is conflicting legislation.

NSIRA notes that international law in cyberspace is a developing area. There is limited general state practice, or opinio juris (i.e, state belief that such practice amounts to a legal obligation), or treaty law, which elaborates on how international law applies in the cyber context. Moreover, while Canada has publically articulated that international law applies in cyberspace, it has not articulated a position on how it believes international law applies in cyberspace. At the same time, Canada has committed to building a common understanding between states of agreed voluntary non-binding norms of responsible state behaviour in cyberspace. NSIRA will closely monitor this emerging area of international law, including State practice in relation to CSE’s ACO/DCO activities – particularly in assessing CSE and GAC’s consideration of applicable international law as part of our subsequent review of ACO/DCOs.

Policy framework guiding cyber operations

Development of GAC-CSE framework for consultation

Conducting ACO/DCOs may elevate risks to Canada’s foreign policy and international relations. While CSE’s foreign intelligence mandate seeks only to collect information, ACO/DCOs [**redacted**]. As GAC is the department responsible for Canada’s international affairs and foreign policy, the MFA has a legislated role to play in consenting to MND’s issuance of an ACO Ministerial Authorization.

As directed by the MFA, CSE and GAC worked together to develop a framework for collaboration on matters related to ACO/DCOs. CSE and GAC began to engage on these matters before the coming into force of the CSE Act to proactively address the consultation and consent requirements embedded in the Act. Together, CSE and GAC have developed various interdepartmental bodies related to ACO/DCOs to facilitate consultation at different levels, including working groups at the levels of Director General and Assistant Deputy Minister.

CSE Governance Structure

CSE’s Mission Policy Suite (MPS) details the authorities in place to guide ACO/DCOs, prohibited activities when conducting ACO/DCOs and guidance in interpreting these prohibitions, as well as the governance framework to oversee the development and conduct of ACO/DCOs – known as the Joint Planning and Authorities Framework (JPAF). The general structure of this governance framework and process is intended to be used for all ACO/DCOs, irrespective of their risk-level. However, depending on the risk level of the operations, the framework sets out the specific approval levels.

During the period of review, the JPAF comprised several components required to plan, approve, and conduct cyber operations. The primary planning instrument for ACO/DCOs was [**relates to CSE operations**] that detailed the [**redacted**] identified [**redacted**] and highlighted risks and mitigations. [**redacted**] is used to determine and enumerate a range of risks associated with any new activity. In this period, CSE developed [**redacted**] NSIRA also received these documents [**redacted**] that fell slightly outside the review period, but provided relevant insight into the governance structure at the operation level.

Two primary internal working groups exist to evaluate and approve CSE’s internal plans for ACO/DCOs. The Cyber Operations Group (COG) is a Director-level approval body composed of key stakeholders and is chaired by the Director of the operational area that has initiated or sponsored a cyber operations request. The role of the COG is to review the operational plan and assess any associated risks and benefits. The COG may approve a [**redacted**] or may defer approval to the CMG as appropriate. The Cyber Management Group (CMG) is a Director General (DG) level approval body that is formed [**redacted**] has been reviewed and recommended by the COG.

CSE then develops the [**relates to CSE operations**] is reviewed internally to ensure it aligns [**redacted**] and is later approved at the Director level, although CSE has indicated it could be subject to delegation to a Manager.

Findings and Recommendations

Clarity of Ministerial Authorizations

NSIRA set out to assess whether the requirements of the CSE Act in relation to ACO/DCOs are appropriately reflected in the MND’s MAs authorizing ACO/DCO activities, and that CSE appropriately consulted or received the consent of the MFA, as required by the Act.

NSIRA reviewed two MAs related to ACOs and DCOs, respectively, which were valid from [**redacted**]. Notably, both MAs only approved [**redacted**] ACO/DCOs. Additionally, NSIRA reviewed documentation supporting the MAs, including the Chief’s Applications to the MND and the associated confirmation letters from the MFA, as well as working- level documents and correspondence provided by both CSE and Global Affairs Canada (GAC).

The MAs examined by NSIRA outlined the new authorities found in the CSE Act, and set conditions on how ACO/DCOs are to be conducted, including the prohibitions that are found in the Act. Additionally, the MAs required that ACO/DCO activities align with Canada’s foreign policy priorities and respond to Canada’s national security, foreign, and defence policy priorities as articulated by the GC.

Supporting cyber operations with information collected under previous authorizations

CSE received its authority to conduct ACO/DCOs during a time when CSE’s collection of foreign signals intelligence (SIGINT) was authorized by MAs issued under the National Defence Act (NDA). [**redacted**]. CSE confirmed to NSIRA that the ACO/DCOs [**redacted**] relied solely on information collected under CSE Act MAs. CSE explained that [**redacted**] NSIRA will confirm this as part of our subsequent review of specific ACO/DCOs.

CSE’s consultation with the Minister of Foreign Affairs

CSE provided GAC with the full application packages for the ACO/DCO MAs in place during the review period. Further, GAC and CSE officials engaged at various levels prior to the coming into force of the CSE Act, and during the development of the MAs – particularly in assessing the classes of activities authorized within them. In response to CSE’s MA application package, the MFA provided letters acknowledging her consultation and consent on the DCO and ACO MAs respectively. NSIRA welcomes this early and rigorous engagement on the part of both departments, given the intersection of their respective mandates in the context of ACO/DCOs.

Both letters from the MFA note the utility of ACO/DCOs [**redacted**] for the GC, articulating the importance of approaching this capability with caution in the initial stages. Notably, the MFA highlights the “carefully defined” classes of activities defined in the ACO MA as assurance that the activities authorized under the MA presented [**redacted**]. Finally, the MFA directed her officials to work with CSE to establish a framework for collaboration on [**redacted**] This direction from the MFA aligns with GAC’s view of the importance of ensuring CSE’s activities would be coherent with Canada’s foreign policy, and that either the MA or another mechanism should provide for that.

Scope and breadth of the Ministerial Authorizations

[**relates to CSE operational policy**] ACO MA issued under section 31 of the CSE Act authorized classes of activities such as:

  • [**redacted**] interfering with a target’s [**redacted**] or elements of the global information infrastructure (GII);
  • [**redacted**]
  • [**redacted**]
  • disrupting a cyber threat actor’s ability to use certain infrastructure.

[**redacted**] DCO MA authorized the same activities, except for the last class of activities, [**relates to CSE operations**].

Both of the ACO/DCO MAs required CSE to conduct ACO/DCOs [**in a certain way**]. According to the ACO MA, it is these conditions, if met, that would make ACO/DCOs conducted under these MAs [**redacted**]. While GAC assesses While GAC assesses foreign policy risks at a more operational level, the MAs developed in the review period only required these two conditions to be met when conducting ACOs or DCOs. Further, the specifics of how to meet these broad conditions are left to CSE’s discretion, and the MA only requires CSE to self-report this. NSIRA further notes that these conditions do not include foreign policy variables, [**redacted**]. To confirm [**redacted**] foreign policy risk associated with an operation, NSIRA believes it is important that the MAs stipulate the calculation of foreign policy risk factors.

[**redacted**] stating that:

[**redacted**]

CSE appears to have responded to [**relates to CSE operations**]. This may also impact the Minisiter’s ability to assess any authorized activities as stipulated in the CSE Act, which requires sufficient precision in an MA application for the Minister to satisfy these requirements.

The classes of ACO/DCO activities, some of which are detailed in paragraph 27, are highly generalized. For instance, nearly any activity conducted in cyberspace can be feasibly classed as [**redacted**] interfering with elements of the global information infrastructure.” [**relates to CSE operations**]

Indeed, early discussions between CSE and GAC highlighted that the activity of [**redacted**] and content “raises difficult questions,” though NSIRA notes that such an activity is nevertheless authorized in the final ACO MA in the activity class of [**redacted**]. In short, the authorization for a class of activities [**redacted**] was incorporated into an even broader class of activities, without any evident [**redacted**] previously associated with it. This type of categorization does not sufficiently communicate information to the Minister to appreciate [**redacted**] activities that could be carried out under the MA.

By contrast, the techniques and associated examples outlined in the Applications are the only means through which it is clarified what types of activities could be taken as part of an ACO/DCO. These examples provide the basis for the MND to assess the classes of activities requested in the MA. Early correspondence between CSE and GAC saw the classes of activities described and analyzed in tandem with the techniques that would enable them. For instance, it was noted that [**relates to CSE operations**] which NSIRA found more informative with respect to what specific actions were captured within the class of activities. NSIRA further notes that even these techniques and examples are described in the Applications as a non-exhaustive list, potentially enabling CSE to conduct activities that are not clearly outlined in the Applications.

Similarly, the target of ACO/DCO activities is typically identified as ‘foreign actor,’ which could encompass a wide range of [**redacted**] In the early stages of MA development, CSE and GAC had discussed [**relates to CSE operations**] within the MAs, and GAC specified that the intent of [**redacted**] was to focus on [**redacted**] given the [**redacted**]. GAC also noted that the ACO MA “would [more] clearly define [**redacted**] to some extent. Neither of these considerations were reflected in the final [**redacted**] MAs, which CSE explained “are not limited to activities [**redacted**] meaning that [**redacted**]. NSIRA believes that the MAs should carefully define targets of ACO/DCO activities [**redacted**]. ACO/DCOs to specific target sets [**redacted**] to ensure that the activities permitted by the MA are reflective of its [**redacted**].

NSIRA notes that only the MAs, and not the associated Applications, authorize CSE to conduct its activities. As such, the exclusion of this information from the MAs means that only the broad classes of activities, as described in the MAs, guide the actions that CSE can take in conducting an ACO/DCO, and not the techniques and examples in the Applications that help justify the standard on which the risk of the activities is based. NSIRA does not believe that the classes of activities as described within the MAs sufficiently limit CSE’s activities [**relates to CSE operations**]. Even though, as explained by GAC, interdepartmental consultative processes between the two departments may serve as a mechanism to limit CSE’s activities, these processes were not explicitly recorded in the MAs authorizing them. NSIRA believes more precise ACO/DCO MAs will minimize the potential for any misunderstanding regarding the specific activities authorized.

The approach of specifying broad classes of activities is in line with CSE’s general practice of obtaining broad approvals from senior levels such as the Minister, with more specific internal controls guiding the operations to be conducted within the scope of the approved activity. According to GAC, it tends to rely on more specific approvals based on the [**redacted**] for which approval is sought. CSE offered that its approach allows CSE to obtain approval for activities in such a way that “enables flexibility to maximize opportunities, but with enough caveats to ensure risks are appropriately mitigated.”

While NSIRA acknowledges that MAs should be reasonably nimble to enable CSE to conduct [**redacted**]. ACO/DCOs should the need arise, it is important that CSE does not conduct activities that were not envisioned or authorized by either the MND or MFA in the issuance of the applicable MAs. NSIRA believes that in the context of [**redacted**] ACO/DCOs, CSE can adopt a more transparent approach that would make clearer the classes of activities it requests the Minister to authorize. This is especially important given the early stage of CSE’s use of these new authorities. By authorizing more precise classes of activities, associated techniques, and intended target sets ACO/DCOs would be less likely to [**redacted**] of the MAs.

CSE has stated that, “being clear about objectives is critical for demonstrating reasonableness and proportionality.” NSIRA shares this view, and believes that the classes of activities and the objectives described in the MAs and their associated Applications should be more explicit for the MND to be able to conclude on reasonableness and proportionality of ACO/DCOs – particularly given that the MAs assessed as part of this review were not specific to an operation. As part of the Authorization, the Minister also requires CSE to provide a quarterly retroactive report on the activities conducted. Moreover, to issue an authorization, the MND must be satisfied that the activities are reasonable and proportionate, and that there are reasonable grounds to believe that the objective of the cyber operation could not reasonably be achieved by other means. This requirement further points toward a need for the MND to appreciate, with a certain degree of specificity, the types of activities and objectives that will be carried out under the authorization.

In both of the MAs reviewed, the Minister concluded that the requirements set out within s. 34(4) of the CSE Act are met. Further, the MAs set out the objectives to be met in the conduct of ACO/DCOs. However, the rationale offered that the objectives could not be reasonably achieved by other means within the ACO MA is quite broad and focuses on general mitigation strategies for cyber threat activities. The paucity of detail provided to the Minister under the current framework could make it challenging for the MND to meet this legislative requirement. In relation to the thresholds of s. 34(4) of the CSE Act, CSE has indicated that “the application for the Authorization, must set out the facts that explain how each of the activities described in the Authorization are part of a larger set of individual activities or part of a class of activities that achieves an objectives that could not reasonably be achieved by other means.” In our subsequent review of ACO/DCOs, NSIRA will assess whether specific ACO/DCOs aligned with the objectives of the MA, and CSE’s determination that they could not have reasonably been achieved by other means.

Finding no. 1: The Active and Defensive Cyber Operations Ministerial Authorization Applications do not provide sufficient detail for the Minister(s) to appreciate the scope of the classes of activities being requested in the authorization. Similarly, the Ministerial Authorization does not sufficiently delineate precise classes of activities, associated techniques, and intended target sets to be employed in the conduct of operations.

Finding no. 2: The assessment of the foreign policy risks required by two conditions within the Active and Defensive Cyber Operations Ministerial Authorizations relies too much on technical attribution risks rather than characteristics that reflect Government of Canada’s foreign policy.

Recommendation no. 1: CSE should more precisely define the classes of activities, associated techniques, and intended target sets to be undertaken for Active and Defensive Cyber Operations as well as their underlying rationale and objectives, both in its Applications and associated Ministerial Authorizations for these activities.

Recommendation no. 2: GAC should include a mechanism to assess all relevant foreign policy risk parameters of Active and Defensive Cyber Operations within the associated Ministerial Authorizations.

[**redacted**] approach to MA application development

During the review period, CSE only developed MA applications for what it considered [**redacted**]. ACO/DCOs, which were first prioritized for development [**related to CSE operations**]. As CSE’s capacity to conduct ACO/DCOs matures and it begins to [**redacted**]. NSIRA has observed CSE and GAC exploring the idea of [**redacted**] ACOs, which, if pursued, would [**redacted**] based on GAC’s methodology.

While the MAs obtained to date, which are not specific to an operation, allow CSE to act in [**redacted**]. NSIRA believes their generalized nature is not transferable to [**potential MAs of a different nature**]. For instance, [**description of an NSIRA concern about the Minister’s ability to filly assess certain factors about cyber operations in a certain context**]. In the context of the development of the 2019-20 ACO MA Application, GAC noted, “other purposes would require other MAs. They will not be completely general; they will be specific to a context.

Further, under the current legislative scheme, the MA Applications are a key mechanism through which the MFA has an opportunity to assess ACO/DCO activities. Because of the [**redacted**] ACO/DCOs to Canada’s foreign policy and international relations, NSIRA believes the MFA should be more directly involved in their development and execution at the Ministerial level, in addition to the working level engagement that takes place between CSE and GAC. Both Ministers can more effectively take accountability for such operations through individual MAs that provide specific details relating to the operation, its rationale, and the activities, tools, and techniques that will enable it. As such, when CSE [**redacted**] ACOs, NSIRA encourages CSE to develop MA Applications that are specific to these operations, and ensure these documents contain all the pertinent operational details that would allow each Minister to fully assess the implications and risks of each cyber operation and take accountability for it.

Strategic direction for cyber operations

Section 19 of the CSE Act directs CSE’s authority to conduct ACOs in relation to international affairs, defence, or security, all areas that could implicate the responsibility of other departments. Additionally the MAs reviewed by NSIRA require that ACOs “align with Canada’s foreign policy and respond to national security, foreign, and defence policy priorities as articulated by the Government of Canada.” The setting of these priorities involve a wide range of GC departments, including the Privy Council Office (PCO), the Department of National Defence (DND), and Public Safety Canada (PS) – which are responsible for coordination and oversight of different parts of priority setting in this context. Throughout this governance review, it emerged that CSE confirms compliance with these requirements with a statement that the MA meets broader GC priorities with no elaboration of how these priorities are met.

Interdepartmental GC processes are not new in the context of coordinating national security activities and operations. As one example, when the MFA requires foreign intelligence collection within Canada, he or she submits a request to the Minister of Public Safety for this collection to be facilitated by the Canadian Security Intelligence Service (CSIS) in accordance with section 16 of the CSIS Act. A Committee consisting [**redacted**] subsequently considers this type of request. The Committee considers issues at the Assistant Deputy Minister level, [**relates to GC decision making processes**]. Similarly, ensuring an ACO’s alignment with broader priorities and that it could not reasonably be achieved by other means can also be confirmed through an interdepartmental process. In other words, interdepartmental consultations are a means to assess the objectives of ACOs, their alignment with broader GC priorities, as well as whether there are other means by which to achieve the set objectives, as required by the CSE Act.

The setting of broader GC priorities and objectives for ACOs emerged as a key component of the governance structure for this new power in early discussions between CSE and GAC. During the period of review, CSE developed ACOs with GAC participating in some aspects of the planning process. GAC encouraged the MFA to request the development of a governance mechanism to mitigate the risk that “CSE could decide, on their own, to engage [**redacted**] noting that [**redacted**].

Early internal GAC assessments contrast this with CSE’s foreign intelligence mandate, which responds to Cabinet-approved intelligence priorities, and captured the essence of this discrepancy in stating:

[**quotation from GAC that reflects discussion related to strategic objectives and priorities of cyber operations**]

In another instance, GAC described the setting of such priorities as an “important issue that has not yet been agreed to with CSE,” and explained its view at the time, that a body with a mandate relevant to the cyber operation should decide if it is the appropriate tool to achieve a particular objective. GAC explained that its officials eventually agreed to move forward without pursuing this matter as long as a governance mechanism was established with CSE.

In this context, s. 34(4) of the CSE Act requires that the objectives of the cyber operation could not be reasonably attained by other means, and that cyber operations respond to priorities in various subject areas. Given these requirements, NSIRA notes that GC departments, other than just CSE and GAC, may be able to provide meaningful insight regarding other options or ongoing activities that could achieve the same objectives.

Furthermore, GAC highlighted the fact that Cabinet sets the Standing Intelligence Requirements (SIRs) that limit and more narrowly direct CSE’s foreign intelligence collection activities. When asked about this issue, CSE responded that “these discussions led both GAC and CSE to agree to begin with a [**redacted**] Ministerial Authorization supported by the CSE-GAC ACO/DCO consultation structure and governance framework.”

In NSIRA’s view, the CSE Act and the ACO MA directly relate ACOs to broader GC objectives and priorities that directly implicate the mandates of departments such as DND, PCO, CSIS, and PS, in addition to those of CSE and GAC. It is not sufficient for CSE to state that an MA and its associated activities align with these priorities without elaboration or consultation of any other parties, given that Canada’s national security and defence policy priorities are under the remit or coordination of DND, PCO, and PS. These departments would be best positioned to comment on, and confirm, a specific ACO’s alignment with Canada’s goals in order to mitigate the potential risks associated with these operations and contribute to overall accountability of these operations.

[**relates to GC national security matters**] As such, the governance process merits the inclusion of – or at the very least consultation with – other departments whose mandates are to oversee Canada’s broader strategic objectives. This could ensure that Canada’s broader interests and any potential risks have been sufficiently considered and reflected in the development of ACOs.

Finding no. 3: The current governance framework does not include a mechanism to confirm an Active Cyber Operation’s (ACO) alignment with broader Government of Canada (GC) strategic priorities as required by the CSE Act and the Ministerial Authorization. While these objectives and priorities that are outside CSE and GAC’s remit alone, the two departments govern ACOs without input from the broader GC community involved in managing Canada’s overarching objectives.

Recommendation no. 3: CSE and GAC should establish a framework to consult key stakeholders, such as the National Security and Intelligence Advisor to the Prime Minister and other federal departments whose mandates intersect with proposed Active Cyber Operations to ensure that they align with broader Government of Canada strategic priorities and that the requirements of the CSE Act are satisfied.

Threshold for conducting pre-emptive DCOs

CSE differentiates between DCOs initiated in response to a cyber threat, and DCOs issued pre-emptively to prevent a cyber threat from manifesting. Further, CSE and GAC have discussed the nature of these operations, including that they exist on a spectrum ranging from operations which are responsive, to those which can be proactive in nature. Notably, in the case of DCOs, [**relates to CSE operations**].

CSE has explained that the initiation of a DCO “requires evidence of a threat that represents a source of harm to a federal institution or designated electronic information or information infrastructure.” In CSE’s view, this threat does not need to compromise the infrastructure before a DCO be initiated so long as evidence establishes a connection between the two.

At the same time, CSE has not yet developed a means to distinguish between this type of DCO and an ACO, given that discussions between GAC and CSE noted that a DCO could resemble an ACO when it is conducted proactively. Unlike ACOs, which require the consent of the MFA and result in a comprehensive engagement of GAC throughout the planning process, DCOs only require consultation with the MFA. Without a clear threshold for a proactive DCO, the potential exists for insufficient involvement of GAC in an operation that could resemble (or constitute) an ACO, [**redacted**].

In our subsequent review, we will pay close attention to the nature of any pre-emptive DCOs planned and/or conducted to ensure that they do not constitute an ACO.

Finding no. 4: CSE and GAC have not established a threshold to determine how to identify and differentiate between a pre-emptive Defensive Cyber Operation and an Active Cyber Operation, which can lead to the insufficient involvement of GAC if the operation is misclassified as defensive.

Recommendation no. 4: CSE and GAC should develop a threshold that discerns between an Active Cyber Operation and a pre-emptive Defensive Cyber Operation, and this threshold should be described to the Minister of National Defence within the applicable Ministerial Authorizations.

Collection of information as part of a cyber operation

Under s. 34(4) of the CSE Act, the MND only issues an authorization if he or she concludes that no information will be acquired under the authorization except in accordance with an authorization issued under ss. 26(1) or 27(1) or (2) or 40(1). The ACO/DCO MAs issued under the period of review reflect this restriction. The ACO/DCO MAs and corresponding applications only mention that existing foreign intelligence MAs will be used to acquire information to support ACO/DCO activities. It further articulates that no information will be acquired in the conduct of ACO/DCO activities which are authorized under the ACO MA.

However, the MAs and the supporting applications do not describe the full extent of information collection activities resulting from ACO/DCOs. According to CSE policy, CSE is still permitted to collect information [**redacted**] so long as this activity is covered under another existing MA. CSE explained that ACO/DCO MAs cannot be relied on to facilitate intelligence collection, however [**relates to CSE operations**]. For example, [**redacted**] using the applicable Foreign Intelligence (FI) authority to [**redacted**] in accordance with GC intelligence priorities.

Although the CSE Act permits CSE to acquire information pursuant to collection MAs, NSIRA believes that CSE’s policy to allow collection activities under different MAs during the conduct of cyber operations is not accurately expressed within the ACO/DCO MAs. Instead, the collection of information is listed under prohibited conduct within the ACO MA, giving the impression that collection cannot occur under any circumstances. As a result, NSIRA notes that the way in which the ACO MA is written does not provide full transparency of CSE’s own internal policies.

CSE explained that [**redacted**] during an ACO/DCO. Further, NSIRA learned from a CSE subject-matter expert (SME) that a specific [**redacted**] which outlines the precise activities to be undertaken as part of the operation, guides each ACO/DCO. [**relates to CSE operations**].

Given CSE’s policy of allowing collection and cyber operations to occur simultaneously [**redacted**]NSIRA will closely review the roles and responsibilities [**redacted**] involved in ACO/DCOs, as well as the technical aspects of using CSE’s systems in support of ACO/DCOs, in our subsequent review of specific operations conducted by CSE to date.

Finding no. 5: CSE’s internal policies regarding the collection of information in the conduct of cyber operations are not accurately described within the Active and Defensive Cyber Operations Ministerial Authorizations.

Recommendation no. 5: In its applications to the Minister of National Defence, CSE should accurately describe the potential for collection activities to occur under separate authorizations while engaging in Active and Defensive Cyber Operations.

Internal CSE Governance

NSIRA set out to assess whether CSE’s internal governance process sufficiently incorporates all the necessary considerations in the planning and execution of the operations and, whether those implicated in the conduct of ACO/DCOs (i.e. GAC and [**redacted**]) are adequately informed of the parameters and limitations pertaining to cyber operations.

During the period of review, CSE operationalized its requirements in the CSE Act and MAs through various internal planning and governance mechanisms. These ranged from strategic, high-level planning documents and mechanisms to the individual operational [**documents/mechanisms**] of each ACO/DCO.

Governance of operations

As described earlier, CSE uses various planning and governance documentation in the approval process for individual ACO/DCOs, including the [**redacted**] CSE first develops the [**redacted**] an ACO/DCO. Following this, CSE creates a [**redacted**] which outlines the risks to be considered in conducting the ACO/DCO. Additionally, the [**redacted**] and the [**redacted**] both generally include fields relating to the prohibitions set out within the CSE Act. Once a specific target is chosen, the [**redacted**] serves as the final governance document, prior to the [**redacted**] of an ACO/DCO.

Similar to the ACO/DCO MAs, as an initial operational plan, the [**redacted**] generally preapproves a set of activities and a generalized [**redacted**] which are then further refined and developed as part of the [**redacted**] process. In NSIRA’s view, [**relates to CSE operations**].

Specifically, the [**relates to CSE operations**] and other operational details that, in NSIRA’s view, surpass simply [**redacted**] and contain key components of operational planning. [**redacted**] details the specific [**redacted**]. Nonetheless, despite the [**redacted**] the [**redacted**] it may have a lower approval threshold than that of the [**redacted**].

Overall, NSIRA welcomes that CSE has developed procedures and documented its operational planning associated with ACO/DCO activities, in accordance with its requirements in the MPS. Nonetheless, the numerous governance documents that comprise the governance of ACO/DCOs exist to serve different audiences and purposes, and result in pertinent information dispersed across them, rather than being available in a unified structure for all implicated stakeholders and decision- makers to assess. NSIRA believes the many separate components of governance may be redundant and result in unnecessary ambiguity within the same operational plans that are meant to guide ACO/DCOs. Thus, NSIRA will assess the efficacy of this governance structure as it is applied to operations as part of our subsequent review.

Finding no. 6: The [**redacted**] process, which occurs after planning documents have been approved, contains information that is pertinent to CSE’s broader operational plans. The at [**redacted**] times contained pertinent information absent from these other documents, even though it is approved at a lower level of management.

Recommendation no. 6: CSE should include all pertinent information, including targeting and contextual information, within all operational plans in place for a cyber operation, and in materials it presents to GAC.

Training on the new framework for cyber operations

Both the ACO and DCO Ministerial Authorizations authorize the following classes of persons to conduct ACO/DCO activities: [**relates to CSE’s operational policy**]. The MAs further require that these “persons or classes of persons must operationally support CSE and Government of Canada intelligence requirements, and demonstrate an understanding of the relevant legal and policy requirements.”

Further demonstrating a commitment to the training and education of its operational staff of the new legal and policy requirements, CSE has stated—with respect to a specific operation—that:

The operational activities undertaken [**redacted**] who receive extensive and continuous training on their function and duties as well as the policy considerations and compliance requirements for their specific role. Additionally, [**redacted**] are trained and accountable for the activities they are carrying out, including all relevant compliance reporting requirements. [**redacted**] performing activities [**redacted**] are also provided, in advance, all related operational materials to ensure the operational conditions outlined within are understood and adhered to.

Finally, CSE explained to NSIRA that “prior to the new Act being approved, CSE provided virtual and in-person briefings on the new authorities to all of CSE’s workforce. More tailored briefings were available for operational teams.” These included presentations and question-and-answer sessions with the Deputy Chief, Policy and Communications and other briefing sessions created by CSE’s policy teams. However, NSIRA notes these types of training sessions, while educational at a high level, are not operation-specific and do not test employees understanding of their new legislative operating environment.

Based on the above requirements and assurances, NSIRA expected to find that CSE employees supporting ACO/DCOs were provided with sufficient and effective training to thoroughly understand their responsibilities in light of CSE’s new legal authorities and constraints, and to apply this knowledge in the delivery of ACO/DCOs.

In this context, CSE conducted a tabletop exercise with a view to introduce [**certain employees**] to the MA design process at an early stage, to enlist their involvement in the drafting of MAs, and to test the functional viability of the MA framework, among other objectives. Throughout the exercise, [**the above mentioned employee**] barred from seeking advice from policy and legal representatives for management to be able to observe results as they may naturally occur. NSIRA notes a key observation from the exercise:

[**redacted**] expressed unease with the need to rely on multiple MAs to support evolving mission objectives. Policy guidance and training will be needed to [**redacted**] to know what authority they are operating under as they proceed with an operation across missions and across MAs. This guidance and training must also account for the fact that information collected under different MAs could be subject to different data management requirements.

CSE stated that [**certain employees**] obtain knowledge of the legal authorities, requirements, and prohibitions of an ACO or DCO through planning meetings and knowledge of the operational documents. In an interview with a CSE SME [**redacted**] NSIRA learned that the training offered on CSE’s new legal authorities, requirements, and prohibitions [**redacted**]. The SME said that if they had any questions about the governance, they would [**relates to CSE operations**].

It is unclear to NSIRA whether there exists a requirement for [**redacted**] to thoroughly understand the parameters delineated for an ACO/DCO within the [**redacted**]. For instance, when asked about their comfort level of operating under different MAs [**redacted**] contained in the [**redacted**] CSE explained that [**redacted**] are developed from the [**redacted**], but as described [**redacted**]. NSIRA is concerned that if [**certain employees**] are focused primarily on the [**certain document/mechanism**] they may not have an adequate understanding of the broader parameters and restrictions associated with an operation.

The MAs authorizing ACO/DCOs impose a condition on CSE’s employees involved in the execution of ACO/DCOs to demonstrate an understanding of the legal and policy requirements under which they operate. The MAs and operational planning documents contain valuable information about the parameters of the broader authority to conduct ACO/DCOs and specific operations. As such, NSIRA believes it is imperative that employees working on any aspect of delivering an ACO/DCO receive thorough training sessions to familiarize them with the requirements and limitations of their respective operations set out in the [**redacted**] and [**redacted**]. Finally, [**certain employees**] could be tested on their understanding of the MAs and their constraints on specific operations.

Finding no. 7: CSE has provided its employees with high-level learning opportunities to learn about its new authorities to conduct Active and Defensive Cyber Operations (ACO/DCOs). However, employees working directly on ACO/DCOs may not have the requisite understanding of the specifics of CSE’s new legal authorities and parameters surrounding their use.

Recommendation no. 7: CSE should provide a structured training program to its employees involved in the execution of Active and Defensive Cyber Operations (ACO/DCOs), to ensure that they have the requisite knowledge of CSE’s legal authorities, requirements, and prohibitions, as required by the associated Ministerial Authorizations.

Framework for CSE’s Engagement with GAC

Given the legislative requirement for the MFA to provide consent or to be consulted in relation to ACO/DCOs, NSIRA set out to assess whether CSE developed a framework for effective consultation and engagement of GAC officials in the intersection of their respective mandates.

GAC’s assessment of foreign policy risks

In GAC and CSE’s engagement during the development of the consultation framework, they developed a mechanism by which GAC is to consent or be consulted on an operation, and to provide its assessment of the operation’s foreign policy risk. In response to a consultation request by CSE, GAC is responsible for providing, within five business days, a Foreign Policy Risk Assessment (FPRA) that confirms whether [**redacted**]. Notably, the FPRA does not constitute an approval of an operation, only a consultation. In order to inform the development of the FRPA, CSE prepares a tailored [**document/mechanism**] for GAC which summarizes aspects of the operation. In our subsequent review, NSIRA will analyse whether the timeline provided to GAC for specific operations enabled it to meaningfully assess the associated foreign policy risks.

For GAC, several factors affect whether or not an ACO/DCO [**redacted**] These factors include whether an ACO/DCO aligns with GAC’s position on international norms in cyberspace and the furtherance of Canada’s national interests, [**relates to GC national security matters**] This is reflected in the TORs for the CSE-GAC WG, which require GAC to assess:

  • [**redacted**]
  • Compliance with international law and cyber norms;
  • Foreign Policy coherence, including whether the operation is in line with foreign policy, national security and defence priorities (i.e., beyond the [Standing Intelligence Requirements]); and
  • [**redacted**]

In the context of the above assessment requirements, GAC explained to NSIRA that it conducts a less detailed assessment of the foreign policy risk of specific operations, through the FPRA, on the basis that it has conducted a more detailed assessment of the classes of activities authorized in the MA.106 This assessment approach is reflected in [**redacted**] FPRAs received by NSIRA, which concluded that the operations fall within [**redacted**] but did not elaborate on the factors listed above. Given that the FPRA provides assurance of [**redacted**] of specific operations and is required under the ACO MA, NSIRA will closely review these assessments as part our subsequent review of operations.

Compliance with international law and cyber norms

[**redacted**]

Parliament may authorize violations of international law, but must do so expressly. An example of this is following the decision in X (Re), 2014 FCA 249, Parliament amended the CSIS Act through the adoption of Bill C-44 in 2015. The new provisions made it explicitly clear that CSIS could perform its duties and functions within or outside of Canada and that, pursuant to the newly adopted provisions of the CSIS Act, a judge may authorize activities outside Canada to enable the Service to investigate a threat to the security of Canada “without regard to any other law.” As per the language of the CSE Act, ACO/DCO MAs may only authorize CSE to carry out ACO/DCO activities “despite any other Act of Parliament or of any foreign state.” As outlined by case law, this language may not be sufficiently clear to allow the Minister to authorize violations of customary international law.

[**redacted**] the MAs reviewed by NSIRA stated that the activities “will conform to Canada’s obligations under international law” and each MA required that CSE’s “activities will not contravene Canada’s obligations under international law.” This would indicate that all activities conducted under this MA would be compliant with international law. However, the governance documents developed by CSE and GAC, such as the CSE-GAC consultation framework, do not set out parameters for assessing ACO/DCO activities for compliance with Canada’s obligations under international law, nor is it made clear against which specific international legal obligations ACO/DCO activities are to be assessed. NSIRA will closely monitor how CSE and GAC consider compliance with international law in relation to ACO/DCO activities in the subsequent review.

In NSIRA’s engagement with GAC, GAC highlighted its interdepartmental and international consultations dating back to 2016 on the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Tallinn Manual 2.0), which informed part of its development of the MAs [**redacted**]. GAC has created a Draft Desk book resulting from these consultations, which identifies Canada’s preliminary assessment of key rules of international law in cyberspace as described within the Tallinn Manual 2.0. NSIRA notes that while this analysis is a draft and does not represent Canada’s final position, it “has served as a starting point for further legal consideration.” NSIRA received no further documents that outline Canada’s understanding of how international law applies to ACO/DCO activities.

Further, documentation provided by both GAC and CSE recognizes a need to assess each potential ACO/DCO for lawfulness. GAC wrote that an analysis of the terms “acknowledged to be harmful” or “posing a threat to international peace and security” should be conducted within the context of each ACO/DCO. [**redacted**]

GAC explained that it assessed each activity within the authorized classes for compliance with international law at the MA development stage, and that consequently, a less detailed assessment of compliance with international law took place at the FPRA stage for each operation. GAC explained that the Draft Desk book and the Tallinn Manual 2.0 were consulted for these activities. From [**redacted**] FPRAs reviewed by NSIRA to date, it is not clear how the Draft Desk book or the analysis of the 2015 UN GGE voluntary norms has informed the assessment of each operation’s level of risk, or GAC’s conclusions that the ACO/DCOs complied with international law. Rather, GAC indicates that activities are compliant with international law, without an explanation of the basis behind these conclusions.

NSIRA notes that international law in cyberspace is a developing area, and recognizes that Canada and other States are continuing to develop and refine their legal analysis in this field. ACO/DCO activities conducted without a thorough and documented assessment of an operation’s compliance with international law would create significant legal risks for Canada if an operation violates international law. Ultimately, a better documented analysis of Canada’s legal obligations when conducting ACO/DCOs is necessary in order for GAC and CSE to assess an operation’s compliance with international law. NSIRA will further examine the lawfulness of ACO/DCO activities in our subsequent review.

Finding no. 8: CSE and GAC have not sufficiently developed a clear and objective framework with which to assess Canada’s obligations under international law in relation to Active and Defensive Cyber Operations.

Recommendation no. 8: CSE and GAC should provide an assessment of the international legal regime applicable to the conduct of Active and Defensive Cyber Operations. Additionally, CSE should require that GAC conduct and document a thorough legal assessment of each operation’s compliance with international law.

Bilateral communication of relevant information

Both GAC and CSE have implemented methodologies that require them to calculate risks based on certain factors. However, these types of risks are not absolute, and depend on a wide range of factors that can change over time or with the emergence of new information. In the case of GAC, those factors center around [**redacted**].

At present, CSE and GAC’s approach to accounting for any change in risks relies on GAC informing CSE if any change to Canada’s foreign policy should arise. However, based on GAC’s methodology above, the foreign policy risk of an operation may also rise if new information is uncovered about [**redacted**] or in relation to the potential impacts of the operation beyond a [**redacted**] For CSE’s part, it appears to primarily focus on changes to operational risks [**that are uncovered at a certain time or in a certain manner**]. This one-way mechanism does not account for other factors [**redacted**].

In this context, CSE has explained that an ACO/DCO is [**redacted**] and that as result, [**redacted**]. CSE further explained that DX and that subsequent activities may be adjusted as required using information obtained from the previous one. [**redacted**].

In this context, NSIRA observed operations that were planned to take place over a period of time, including a DCO where CSE would undertake [**related to CSE operations**]. Another ACO would see CSE [**redacted**]. In describing this operation to GAC, CSE wrote that activities would take place over a period of time [**redacted**].

[**related to CSE operations**] benefit from [**redacted**] of the ADO/DCOs [**redacted**]. NSIRA believes that a two-way notification mechanism triggering a re-assessment of the risks associated with an ACO/DCO should be established between CSE and GAC, whether those risks are uncovered prior to or during the course of an operation.

Finally, CSE’s internal governance process brings in GAC through [**a certain document/mechanism**]. In this context, GAC has highlighted objectives, [**redacted**] of an operation as information that CSE should provide for the purposes of assessing foreign policy risks. NSIRA has observed that the [**redacted**]. NSIRA notes that these details serve as important context to which GAC should have access as part of its assessment, particularly as GAC includes in its conclusions that the activities complied with [**redacted**].

Finding no. 9: CSE expects GAC to provide notification of any changes to foreign policy risks, but has not sufficiently considered the need to communicate other risks that may arise during an operation to GAC. Further, information critical to GAC’s assessment of foreign policy risks has also been excluded in materials CSE uses to engage GAC on an operation. As such, within the current consultation framework, CSE may not sufficiently communicate relevant information to GAC in support of its foreign policy assessment, and to manage ongoing changes in the risk associated with a cyber operation.

Recommendation no. 9: CSE and GAC should communicate to one another all relevant information and any new developments relevant to assessing risks associated with a cyber operation, both in the planning phases and during its execution.

Conclusion

This was NSIRA’s first review of CSE’s new powers to conduct ACO/DCOs, and it has illustrated CSE and GAC’s development of a governance structure for conducting these operations. CSE has now had the power to conduct these operations since 2019, though this review demonstrated that both departments begun conceptualizing a governance regime prior to the coming into force of the CSE Act. NSIRA is satisfied that CSE has, to date, developed a comprehensive governance structure, and commends its regular engagement with GAC to develop a consultation framework that sets out the roles and responsibilities of both departments.

However, at the broader governance level, CSE can improve the transparency and clarity around the planning of ACO/DCOs, particularly at this early stage, by setting out clearer parameters within the associated MAs for the classes of activities and target sets that could comprise ACO/DCOs. NSIRA further believes the continued development of cyber operations should benefit from consultation with other government departments responsible for Canada’s strategic priorities and objectives in the areas of national security and defence. Finally, CSE and GAC should develop a threshold and a definition for what constitutes a pre-emptive DCO, so as to ensure the appropriate involvement of GAC in an operation.

At the operational level, CSE and GAC should ensure that each operation’s compliance with international law is assessed and documented. On CSE’s part, it should ensure that information critical to assessing the risks of an operation be streamlined and included within all governance documents, and made available to all those involved in the development and approval of ACO/DCOs – including GAC. Finally, CSE should ensure that its operational staff are well-versed in the specifics of their new legislative framework and its applicability to specific operations.

While this review focused on the governance structures at play in relation to ACO/DCOs, of even greater importance is how these structures are implemented, and followed, in practice. We have made several observations about the information contained within the governance documents developed to date, and will subsequently assess how they are put into practice as part of our forthcoming review of ACO/DCOs.

Annex A: ACO/DCO Typologies

Figure 1: Different types of cyber operations. Source: CSE briefing materials

[**redacted figure**]

Figure 2: Difference between ACOs and DCOs. Source: CSE briefing material.

Figure 2: Difference between ACOs and DCOs. Source: CSE briefing material.
DEFENSIVE CYBER OPERATIONS ACTIVE CYBER OPERATIONS
Authorized Activites
  • Gaining acess to a portion of the global information infrastructure
  • Installing, maintaining, copying, distributing, searching, modifying, disruption, deleting or intercepting anything on or through the global information infrastructure
  • Doing anything that is reasonably necessary to maintain the covert nature of the activity
  • Carrying out any other activity that is reasobably in the circumstances and reasonably necessary in the aid of any other activity, or class of activities, authorized by the Ministerial Authorization
Ministerial Approval MND approval with MFA consultation MND approval with the consent or request of MFA
Intent To take action online to protect electronic information and infrastructures of importance to the government of Canada To degrade, disrupt, influence, respond to or interfere with capabilities of foreign individual, state, organization
Context Initiated in response to a cyber threat, or proactively to prevent a cyber threat Initiated in accordance with Ministerial direction as it relates to international affairs defence or security.
Threat Actor/Target Set Conducted against threats linked to Government systems and systems of importance, irrespective of the actor
**Once confirmed not against a Canadian, person in Canada, or on GII in Canada		 Conducted against specific targets in acordance with the Ministerial Authorization
**Once confirmed not against a Canadian, person in Canada, or on GII in Canada
Outcome Conducted with a view to stop or prevent cyber threats in a manner that is reasonable and proportionate to the intrusion or threat Conducted to the extent directed by the Ministerial Authorization and that is reasonable and proportionate

Annex B: ACO/DCOs (2019-2020)

[**redacted**]

Annex C: CSE-GAC Framework

Interdepartmental Group CSE-GAC Senior Management Team (SMT) DG CSE-GAC ACO/DCO Working Group ADM-Level
Co-Chairs SMT Co-Chairs: CSE DG, [**redacted**], GAC, DG Intelligence Bureau Co-Chairs: CSE, DG [**redacted**] GAC,DG Intelligence Bureau. It iscomposed of some of the same DG-Level participants as the SMT as well as their working-level supports. Co-Chairs: CSE, Deputy Chief, SIGINT GAC, ADM (Political Director) International Security
Roles and Responsibilities

 Exchanges information on the departments’ respective plans and priorities, as well as areas of collaboration.
 Under the auspices of the SMT, this entity was established with a mandate to collaborate specifically on ACO/DCO matters.
Implementation of the governance framework associated with current and planned [**redacted**]. Coordinates information sharing related to the operational planning and execution of ACO/DCOs, as well as their associated risks and adherence to Canada’s foreign policy Collaborates on the renewal, evolution, and development of current and future MAs 		Resolves any issues under the purview of the WG that cannot reach resolution at the DG-level.

Annex D: Findings and Recommendations

Findings

Finding no. 1: The Active and Defensive Cyber Operations Ministerial Authorization Applications do not provide sufficient detail for the Minister(s) to appreciate the scope of the classes of activities being requested in the authorization. Similarly, the Ministerial Authorization does not sufficiently delineate precise classes of activities, associated techniques, and intended target sets to be employed in the conduct of operations.

Finding no. 2: The assessment of the foreign policy risks required by two conditions within the Active and Defensive Cyber Operations Ministerial Authorizations relies too much on technical attribution risks rather than characteristics that reflect Government of Canada’s foreign policy.

Finding no. 3: The current governance framework does not include a mechanism to confirm an Active Cyber Operation’s (ACO) alignment with broader Government of Canada (GC) strategic priorities as required by the CSE Act and the Ministerial Authorization. While these objectives and priorities that are outside CSE and GAC’s remit alone, the two departments govern ACOs without input from the broader GC community involved in managing Canada’s overarching objectives.

Finding no. 4: CSE and GAC have not established a threshold to determine how to identify and differentiate between a pre-emptive Defensive Cyber Operation and an Active Cyber Operation, which can lead to the insufficient involvement of GAC if the operation is misclassified as defensive.

Finding no. 5: CSE’s internal policies regarding the collection of information in the conduct of cyber operations are not accurately described within the Active and Defensive Cyber Operations Ministerial Authorizations.

Finding no. 6: The [**redacted**] process, which occurs after planning documents have been approved, contains information that is pertinent to CSE’s broader operational plans. The [**redacted**] at times contained pertinent information absent from these other documents, even though it is approved at a lower level of management.

Finding no. 7: CSE has provided its employees with high-level learning opportunities to learn about its new authorities to conduct Active and Defensive Cyber Operations (ACO/DCOs). However, employees working directly on ACO/DCOs may not have the requisite understanding of the specifics of CSE’s new legal authorities and parameters surrounding their use.

Finding no. 8: CSE and GAC have not sufficiently developed a clear and objective framework with which to assess Canada’s obligations under international law in relation to Active and Defensive Cyber Operations.

Finding no. 9: CSE expects GAC to provide notification of any changes to foreign policy risks, but has not sufficiently considered the need to communicate other risks that may arise during an operation to GAC. Further, information critical to GAC’s assessment of foreign policy risks has also been excluded in materials CSE uses to engage GAC on an operation. As such, within the current consultation framework, CSE may not sufficiently communicate relevant information to GAC in support of its foreign policy assessment, and to manage ongoing changes in the risk associated with a cyber operation.

Recommendations

Recommendation no. 1: CSE should more precisely define the classes of activities, associated techniques, and intended target sets to be undertaken for Active and Defensive Cyber Operations as well as their underlying rationale and objectives, both in its Applications and associated Ministerial Authorizations for these activities.

Recommendation no. 2: GAC should include a mechanism to assess all relevant foreign policy risk parameters of Active and Defensive Cyber Operations within the associated Ministerial Authorizations.

Recommendation no. 3: CSE and GAC should establish a framework to consult key stakeholders, such as the National Security and Intelligence Advisor to the Prime Minister and other federal departments whose mandates intersect with proposed Active Cyber Operations, to ensure that they align with broader Government of Canada strategic priorities and that the requirements of the CSE Act are satisfied.

Recommendation no. 4: CSE and GAC should develop a threshold that discerns between an Active Cyber Operation and a pre-emptive Defensive Cyber Operation, and this threshold should be described to the Minister of National Defence within the applicable Ministerial Authorizations.

Recommendation no. 5: In its applications to the Minister of National Defence, CSE should accurately describe the potential for collection activities to occur under separate authorizations while engaging in Active and Defensive Cyber Operations.

Recommendation no. 6: CSE should include all pertinent information, including targeting and contextual information, within all operational plans in place for a cyber operation, and in materials it presents to GAC.

Recommendation no. 7: CSE should provide a structured training program to its employees involved in the execution of Active and Defensive Cyber Operations (ACO/DCOs), to ensure that they have the requisite knowledge of CSE’s legal authorities, requirements, and prohibitions, as required by the associated Ministerial Authorizations.

Recommendation no. 8: CSE and GAC should provide an assessment of the international legal regime applicable to the conduct of Active and Defensive Cyber Operations. Additionally, CSE should require that GAC conduct and document a thorough legal assessment of each operation’s compliance with international law.

Recommendation no. 9: CSE and GAC should communicate to one another all relevant information and any new developments relevant to assessing risks associated with a cyber operation, both in the planning phases and during its execution.

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Review of Canada Revenue Agency’s Review and Analysis Division (RAD): Notification Letter

Review of Canada Revenue Agency’s Review and Analysis Division (RAD)

Notification Letter

Date of Publishing:

March 08, 2023

Bob Hamilton
Commissioner of Revenue and Chief Executive Officer
Canada Revenue Agency

Dear Mr. Hamilton,

I am writing on behalf of the Members of the National Security and Intelligence Review Agency (NSIRA) to inform you that NSIRA is commencing a review of the Canada Revenue Agency’s Review and Analysis Division (RAD).

The review focuses on the RAD program’s national security activities and decision-making relating to registered Canadian charities, to assess their reasonableness, necessity, and compliance with the law.

This review is conducted pursuant to paragraph 8(1)(b) of the NSIRA Act. The NSIRA Act grants NSIRA full and timely access to all information held by reviewed departments and agencies, including classified and sensitive information, with the exception of cabinet confidences.

Please identify any specific contacts you deem relevant for the topic(s) being addressed by this review. NSIRA will be in contact with your officials with requests for preliminary briefings and documents to gain an introductory overview of CRA and RAD’s activities. Depending on the scope of the review, to be determined at a later time, NSIRA will also contact any other implicated departments or agencies to inform them of this review.

In the interim, if there are any questions or comments, I would be pleased to discuss them at your convenience.

I thank you in advance for your cooperation and support to the independent review process, which is key to the transparency and accountability we provide to Canadians on behalf of the Government of Canada.

Sincerely,
John Davies
Executive Director, NSIRA

P.O Box / C.P. 2430, Station / Succursale “D”
Ottawa, Canada K1P 5W5

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Our Reviews

Filtering Options

Use filters to below options to change the focus of your results in following data table

By Status
By Year
By Department

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Review of Canadian Security Intelligence Service Info Sharing: Report

Review of Canadian Security Intelligence Service Info Sharing

Report

Date of Publishing:

Authorities

This review was initially undertaken by the Security Intelligence Review Committee (SIRC) as articulated in section 38(1) of the Canadian Security Intelligence Service Act, which stipulates that SIRC is mandated to review CSIS’s operations in the performance of its duties and functions.

However, while this review was being prepared, Bill C-59-An Act respecting national security matters received Royal Assent on June 21, 2019. Part 1 of the Bill enacts the National Security and Intelligence Review Agency Act (NSIRA Act), which was brought into force through an Order in Council on July 12, 2019. NSIRA Act repeals the provisions of the CSISAct establishing the Security Intelligence Review Committee, which was replaced following the establishment of the National Security and Intelligence Review Agency (NSIRA). The NSIRA Act sets out the composition, the mandate and the powers of NSIRA, and amends the CSISAct and other Acts to transfer certain powers, duties and functions to NSIRA.

So this review continued as articulated in section 8 (l)(a) and 8 (3) of the NSIRA Act and proceeded with the examination of activities performed by CSIS in order to submit findings and formulate appropriate recommendations.

Introduction

CSIS considers that information sharing with non-Canadian entities is crucial inasmuch as it enables the Service to carry out its mandate to guard against threats to national security. However, information sharing with non-Canadian entities (or foreign entities) involves a certain level of risk, which means that CSIS has had to develop a series of measures aiming at mitigating that risk. For instance, information sharing must be subject to caveats and assurances, either verbal or written, therefore placing restrictions on methods through which CSIS information may be used or shared.

Numerous SIRC reviews addressed the issue of information sharing with foreign entities. For example, in 2015, SIRC established that CSIS needed to apply DDO’s directives more rigorously and more consistently, especially the part that documents the decision-making process. Furthermore, in 2017, SIRC raised concerns about the fact that operations managers would not adequately evaluate or sufficiently document the risks arising from failures to respect caveats and assurances. In 2018, SIRC found that the post [**redacted**] had not attempted to obtain new assurances or to renew the current ones. More recently, the review of the [**redacted**] post demonstrated—even though SIRC had not raised any concerns about the nature and scope of the information shared with foreign entities—that there was a requirement for using substantive caveats and assurances in order to facilitate information sharing, which includes commenting on the methods used by CSIS to measure the outcomes.

Objectives

The objective set for this review is to determine the degree to which:

1. CSIS sought assurances that would be sufficient to ensure that

  • the Service has the ability to meet its legal obligations and to comply with Ministerial Directions during the information sharing; and,
  • the Service has the ability, where possible, to mitigate the risks posed by the sharing of information with foreign entities;

2. the proposed changes to policies and procedures (to be issued in 2019) will strengthen the regime that governs information exchange with foreign entities.

Scope and methodology

The scope of this review includes examining the information exchange cycle from entering agreements with foreign entities to managing higher-risk information exchange, including caveats and assurances applying to information exchange with foreign entities whose human rights record remains a concern.

NSIRA selected three (3) case studies based on decisions made by the Information Sharing Evaluation Committee (ISEC or the Committee) in 2018-2019. For those three case studies, NSIRA reviewed the information sharing cycle, from the conclusion of an arrangement to the risks inherent to sharing information with foreign entities. These case studies were not randomly selected, since selection was based on the following parameter: the countries identified for this review were assessed as high risk of human rights violations. There was at least one dissenting vote within ISEC, as per meeting minutes.

For the three case studies, SIRC reviewed all relevant documents, either written or electronic, including records, correspondence and any other legal or regulatory documents applying to information sharing processes and procedures.

Criteria

The performance of CSIS is assessed against provisions set in CSIS governance documents. NSIRA expects that CSIS operate in accordance with the Canadian Charter of Rights and Freedoms, the CSIS Act, the Criminal Code of Canada and the instruction provided by the Minister of Public Safety, but also with applicable policies and procedures.

Here are the ministerial obligations, and CSIS internal policies and procedures that apply to this assessment:

Ministerial Obligations

  • Ministerial Direction to the Canadian Security Intelligence Service: Accountability, July 31, 2015; and,
  • Ministerial Direction to the Canadian Security Intelligence Service: Avoiding Complicity in Mistreatment by Foreign Entities, September 25,2017.

Policies and Procedures

  • DDO Directive on Information Sharing with Foreign Entities (2017);
  • Procedures: Requesting and Modifying Foreign Arrangements-,
  • CSIS Procedure: Caveats and Assurances’,
  • OPS-601 – A uthorized Disclosure of Information and Intelligence – General,
  • OPS-602 – Disclosure of Security Information or Intelligence’, and,
  • Memorandum from the ADO [**redacted**] – Reminder concerning assurances from foreign entities (previous and/or continued respect for human rights), dated December 19, 2018.

Background

In May 2019, CSIS had signed 313 arrangements with foreign entities spread out across more than 150 countries and territories. Since April 2018, [**redacted**] of those arrangements are considered active, although subject to restrictions.

Section 17 of the CSIS Act

In order to meet the requirements of its mandate to investigate threats to the national security of Canada, CSIS ought to share information with foreign entities. Under section 17 of the CSIS Act, the Service may, with the approval of the Minister after consultation by the Minister of Public Safety with the Minister of Foreign Affairs, enter into an arrangement or otherwise cooperate with a foreign entity. This section aimed to codify a practice long established within RCMP’s Security Service consisting of the conclusion of information sharing arrangements among jurisdictions.

Any new arrangement must be considered beneficial to CSIS operational priorities, namely that it must directly meet government of Canada and CSIS requirements for intelligence. In this case, the Foreign Relations Branch (FRB) is responsible for managing and assessing such arrangement with foreign entities. Following a CSIS enquiry concerning a possible arrangement with a foreign entity, the Branch starts a discussion with Global Affairs Canada (GAC). Meanwhile, the Director of CSIS submits to the Minister of Public Safety a request to authorize the conclusion of an arrangement with the said foreign entity. After a consultation with both ministers, the Minister of Public Safety indicates to the Director of CSIS whether the arrangement is authorized or not.

FRB must also consistently monitor and assess foreign entity’s human rights record, and register this information within each arrangement profile that is available for each foreign entity. The Branch creates an arrangement profile, which can be shared with other Canadian agencies or departments upon request.

Ministerial Directions

The most recent ministerial directions relating to arrangements with foreign entities date back to 2015 and 2017. The Ministerial Direction for Operations and Accountability was published on July 31, 2015. Annex A indicates that CSIS is the lead agency for liaising and cooperating with foreign entities in relation to threats to the security of Canada, and to security assessments under the CSIS Act. Annex A also provides guidelines for the conclusion of any such arrangement.

Ministerial Directions (MD) have been issued in relation to human rights. The Minister decided to revise the 2011 ministerial direction on information sharing with foreign entities. In the Ministerial Direction: Avoiding Complicity in Mistreatment by Foreign Entities, published on September 25,2017, the Minister sent instructions to CSIS stating that the Service is to strongly oppose the infliction of mistreatment regardless of the motives.

The new MD sets out specific prohibitions for the disclosure, requesting and use of information. It clearly prohibits disclosing or requesting information where doing so would result in substantial risk of mistreatment. Moreover, it is forbidden to use information likely obtained through mistreatment. However, there is one exception:

Such information can only be used to deprive a person of their rights or freedoms in exceptional cases – to prevent loss of life or serious personal injury – with the approval of the Deputy Head [Director of CSIS].

MD also requires that reports be submitted to the government for transparency and greater accountability. Thus, the Minister, the National Security and Intelligence Committee of Parliamentarians and NSIRA will be kept informed of all cases referred to the Deputy Head (i.e., the Director of CSIS).

Evaluation process – Information Sharing with or Request to Foreign Entities

A few days after the publication of the MD Avoiding Complicity in Mistreatment by Foreign Entities, the Deputy Director of Operations (DDO) issued a directive instructing CSIS employees to comply with new requirements. Dated September 28, 2017, the Directive from the DDO intended to provide CSIS employees with tools that would allow them to comply with Canadian and international law. The Directive emphasized the importance of obtaining the appropriate level of approval for any sharing of information with foreign entities, adding that the said level ought to be proportional to the risk that the information might have been obtained through mistreatment or might be the cause of mistreatment.

The decision-making process that leads to a decision with respect to information sharing with foreign entities must analyze and take into account important considerations to insure the information is accurate and reliable, and to guarantee that the said information has not been obtained through mistreatment. When using information acquired from a foreign entity, CSIS must determine whether:

  • the information was obtained while a detainee was being interrogated outside of Canada;
  • the information was obtained through incriminating admission; and,
  • there are other indicators of potential mistreatment (including, but not limited to poor human rights record; unusual extradition practice, e.g., transferring suspects from one State to another without regard to the law; etc.).

When information sharing with a foreign entity is required, CSIS must base its assessment on three criteria:

  • is the information about a person detained outside of Canada?
  • would the information potentially lead to adverse actions against a person (detained or other)? and,
  • are there other indicators pointing to a risk of mistreatment if information is shared or requested?

When at least one criteria applies to the information (either received or to be provided), CSIS cannot use nor share this information, and a review must be conducted by the Deputy Director General Operations (DDG OPS). If the DDG considers that a risk of mistreatment exists and that the caveats and assurances would not help mitigate the said risk, the case is referred to ISEC for assessment and decision.

The information received can be used once the Committee has assessed that it had not been obtained through mistreatment. If the Committee finds it was likely obtained through mistreatment, the information received cannot be used. In rare exceptions where CSIS’s posture would require the sharing of information likely obtained through mistreatment (following a rigorous case analysis) – for instance, when there is a serious or imminent threat -, the Director is responsible for making a decision. This provision is included in the MD (2017 version).

With respect to the information shared with or requested from foreign entities, the Committee must refer the case to the Director for decision if:

  • the Committee determines there is a risk of mistreatment and this risk cannot be mitigated, while there is a serious threat of injury or loss of life; or
  • the Committee is not able to determine whether a substantial risk of mistreatment can be mitigated with the use of caveats or assurances.

Finally, if the substantial risk cannot be mitigated, information will neither be requested from nor be shared with the foreign entity.

Until recently, the Committee required a quorum of six (6) persons, and decisions were based on a majority vote. Since the spring of 2019, decisions are made by consensus.

Update – New Procedural Restrictions

In April 2018, FRB recommended restricting an additional number of arrangements, which would allow CSIS to fully comply with the MD Avoiding Complicity in Mistreatment. CSIS adopted a new model whose purpose is to restrict arrangements with foreign entities based on three levels of restriction that apply in accordance with specific circumstances. In a letter to the Minister of Public Safety, the Director explains that this new approach aligns with the following three objectives:

  • ensure CSIS engagement with a foreign entity does not pose a substantial risk of mistreatment;
  • allow information sharing that is not likely to pose a risk of mistreatment, thus promoting a certain level of continued engagement; and,
  • ensure full compliance with the new MD.

At the same time, CSIS informed NSIRA that a new mechanism had been put in place; it also indicated which foreign entities were involved, including the ones that are subject to restrictions.

Risk Mitigation Measures

Caveats and assurances from countries with a human rights record that is questionable or that raises concerns present a considerable challenge for CSIS. In fact, according to several experts and civil society organizations like Human Rights Watch, Civil Liberties Union, and Amnesty International Canada, sharing information with certain countries raises numerous issues considering the substantial risk of mistreatment this practice may entail and the possibility that risk mitigation may not be possible.

The MD to CSIS on avoiding complicity in mistreatment by foreign entities clearly sets out the parameters to consider when sharing information with countries known to have a poor human rights record. In 2009, CSIS implemented a procedure to obtain, from foreign entities, assurances that would be more global. This procedure was under review in the spring of 2019. NSIRA was advised that procedures relating to caveats and assurances would soon be replaced.

Caveats

CSIS caveats provide the recipient with instructions on information handling in order to avoid misclassification or dissemination that would be potentially prejudicial to CSIS.

As of July 8, 2019, new procedures to apply to Canadian and foreign recipients came into effect. These procedures now come with tools that help identify the caveat to be used or provide a new function that automatically inserts, when required, a caveat into an operational report. This function can even validate the selected caveat.

Assurances

FRB is currently preparing procedures that align with human rights assurances required from foreign entities. CSIS needs to apply such measures to mitigate risks when information sharing takes place. These measures are to be used together with appropriate caveats during the sharing process. They should become effective subsequently.

Decision-Making Process

At the end of 2018, CSIS reviewed decision-making procedures. The new measures were announced in May 2019 and will come into force within the next months. NSIRA was informed that from now on, ISEC was to make decisions based on consensus instead of a majority. Moreover, the Legal Services representative (Department of Justice) is no longer a voting member, but acts as a legal advisor to ISEC. Lastly, OPS EXEC team will be informed on a regular basis with regard to tendencies and disputes about ISEC decision-making process. Once management is informed, a discussion will take place. Then, a recommendation will be made to solve the issue and/or the issue will be brought to CSIS Director’s attention.

Findings

Finding 1: Taking [**redacted**] into Account

NSIRA finds that two of the cases examined by ISEC should have been transferred to the Director, for it is the Director, not the Committee, who is responsible for making a final decision in compliance with MD: Avoiding Complicity in the Mistreatment by Foreign Entities. [**redacted**].

CSIS received information [**redacted**]. This case was referred to ISEC since some indicators pointed to [**redacted**] poor human rights record. It was referred to the Committee on November 9,2018.

[**redacted**]

ISEC concluded that exchanging this information would pose substantial mistreatment risk, even with [**redacted**]. However, ISEC also considered that the risk could be mitigated by using proper caveats and seeking assurances from [**redacted**].

Meanwhile, [**redacted**] also considered that sharing information with [**redacted**]. In this case, the meeting minutes do not contain any additional information regarding the verbally expressed [**redacted**]

On November 9, 2011, the Deputy Director Intelligence (DDI) approved the majority decision by agreeing that there was a substantial risk of mistreatment, but that the said risk could be mitigated and the information could therefore be shared, as long as appropriate caveats and existing assurances are applied.

[**redacted**]

In this case, the information sharing with [**redacted**], pertained to [**redacted**]. The information relating to [**redacted**]. The case was referred to ISEC on October 4, 2018.

Nevertheless, two Committee members (the Committee has five [5] voting members) expressed their disagreement: [**redacted**]

On October 30, 2018, despite the substantial risk of mistreatment, the DDI considered that the risk could indeed be mitigated through caveats and [**redacted**] assurances, and therefore gave its approval to the majority decision.

Comments

The assessment of mitigation measures and their impact is not only a legal issue; it must also be considered in light of established facts. CSIS remains responsible for decisions made within ISEC. [**redacted**]

When a decision needs to be made, the Service is not obligated to [**redacted**]. Other ISEC members, for instance other CSIS branches and GAC, express their viewpoint when assessing substantial risk of mistreatment is required. All the same, according to NSIRA, the Director must be advised when the [**redacted**] believes that the proposed action is not permitted [**redacted**]

Lastly, NSIRA notes that majority-based decision process was not advisable, since the majority of members are from CSIS. [**redacted**]. With the consensus-based decision-making process that was recently adopted by CSIS, particularly contentious cases will be escalated to a higher level, namely the Director of CSIS.

Recommendation 1

NSIRA recommends, when [**redacted**] consider that substantial risk of mistreatment cannot be mitigated, that the case be automatically referred to the Director for a final decision.

Finding 2: Lack [**redacted**] regarding [**redacted**]

After reviewing information, NSIRA finds that no written [**redacted**] had been obtained to validate or invalidate the [**redacted**] notice orally communicated to ISEC regarding the use of [**redacted**] as a mitigation measure during information sharing.

CSIS is currently reviewing ways to mitigate risk that would permit information sharing when there are human rights concerns are raised toward a foreign entity. One of the ways considered by CSIS would be [**redacted**]

[**redacted**]

In the second case regarding [**redacted**] the case was referred to ISEC [**redacted**] on May [**redacted**].

ISEC concluded there was a substantial risk of mistreatment [**redacted**]. Maintaining there was no appropriate mitigation measures in place, the Committee concluded that the risk could not be mitigated. Therefore, the case was escalated to the acting director, [**redacted**].

The Committee Chair indicated that all members agreed there was a substantial risk of mistreatment and that ISEC members should understand how, before being satisfied that it would constitute an appropriate mitigation measure.

ISEC requested [**redacted**] to explore other options that would mitigate the risk of mistreatment. Before making a decision, the Director of CSIS also requested more information regarding [**redacted**]. The Branch ultimately withdrew its request, as the information discussed [**redacted**] no longer needed to be shared, [**redacted**].

NSIRA submitted a request to CSIS asking whether a written legal opinion had been provided to CSIS regarding [**redacted**].

Comments

For the two case scenarios relating to [**redacted**] CSIS tried to [**redacted**]. In both cases, [**redacted**].

ISEC’s decision-making process cannot always provide sufficient [**redacted**] time to thoroughly analyze case facts. Specifically, the process is not always propitious for considering additional legal aspects and factors. However, a formal legal notice would allow CSIS to determine the possible validity of [**redacted**] mitigation measures.

In this case, the information held by CSIS regarding the threat was subject to a specific timeframe; it has not been possible to share the information [**redacted**]. It would be helpful if CSIS received a formal legal opinion in order to prevent this kind of result that could have serious repercussions in the future.

Recommendation 2

NSIRA recommends that CSIS request a formal legal opinion before determining whether [**redacted**] could be used in the future as mitigation measures for information sharing with a foreign entity.

Annex A: Case Studies

In [**redacted**] Solicitor General gave authorization to establish, with [**redacted**] an arrangement that would allow information sharing [**redacted**]. Since [**redacted**] CSIS collaborated with [**redacted**].

In [**redacted**] the information sharing arrangement between Canada and [**redacted**] was a level [**redacted**] agreement, given the serious allegations of human right violation [**redacted**] and the potential risks of mistreatment. CSIS is well aware of the situation and ‘obtained general assurance [**redacted**].

First case study – [**redacted**] The case was presented to ISEC on November 9, 2018.

Summary

[**redacted**] which would enable [**redacted**] to share information with [**redacted**].

Decision

On November 9, 2018, ISEC made the following decision:

  • In accordance with DDO Directive on Information Sharing with Foreign Entities (2017), the Committee notes there is a substantial risk of mistreatment [**redacted**] share information with [**redacted**]. Therefore, with proper caveats and existing assurances, the information may be shared.

[**redacted**] AFC noted that information sharing [**redacted**] carried substantial risk of mistreatment and that the said risk could not be mitigated.

On November 9, 2018, [**redacted**] an update regarding qualification of the information source (qualification de la source de I’information).

On the same day, ADI gave its approval to the majority decision. ADI recognized there was a substantial risk of mistreatment, but also indicated that the said risk could be mitigated and that the information could therefore be shared with the proper caveats and existing assurances.

Second Case Study – [**redacted**] The case was submitted to ISEC on May 29, 2018.

Summary

[**redacted**]

Decision

In accordance with DDO Directive on Information Sharing with Foreign Entities (2017), the Committee notes that information sharing with [**redacted**] poses substantial risk of mistreatment, but there are no adequate mitigation measures in place, which makes it impossible to mitigate the risk. Therefore, the case must be escalated to the acting Director, while [**redacted**] will explore other mitigation options involving [**redacted**]

On May 29, 2018, ADP approved the Committee’s recommendation.

On the same day, before making a decision in this matter, the acting Director of CSIS requests additional information from [**redacted**] regarding [**redacted**]

On August 1, 2018, [**redacted**]

On November 1, 2018, [**redacted**] withdrew the request previously submitted to ISEC, for the information discussed on [**redacted**] no longer needed to be sent [**redacted**]

Identified Risk

Given [**redacted**] human rights record, there is still a possibility that detained persons be mistreated because CSIS offers to share information containing [**redacted**]

Minutes

The Chair informs the members that this instance of information sharing with [**redacted**] is the first to be brought to ISEC’s attention and the first case where there is a risk that [**redacted**] information be shared with an entity [**redacted**].

[**redacted**] highlights the fact that information sharing [**redacted**] remains the issue to consider based on [**redacted**] risk of mistreatment as well as the stipulations included in the MD and the Charter. [**redacted**] asked whether the decision in the matter would be referred to the Director.

The Chair declares that all members agree to the fact that there is a substantial risk of mistreatment and that [**redacted**] must be understood before ISEC is satisfied that it represents an adequate mitigation measure.

[**redacted**] the relation [**redacted**] dates [**redacted**]. In [**redacted**] CSIS submitted to Solicitor General Canada a request to obtain an [**redacted**] in order to cover provisions [**redacted**]. CSIS had also informated Solicitor General that relations with [**redacted**].

[**redacted**]

Third Case Study [**redacted**]

The proposed information sharing with [**redacted**] pertained to [**redacted**]. The file was submitted to ISEC on [**redacted**]

Information related to the [**redacted**].

During their briefing, [**redacted**] also provided [**redacted**] for sharing information. The objective was to communicate information [**redacted**]. In addition, the Branch [**redacted**] wanted to provide information [**redacted**]

[**redacted**]

[**redacted**]

[**redacted**]

Committee’s Decision

In keeping with the DDO Directive on Information Sharing with Foreign Entities (2017), the Committee notes that information sharing with [**redacted**] poses substantial risk of mistreatment [**redacted**]. The Committee considers that the risk can be mitigated with caveats and [**redacted**] assurances.

Nevertheless, [**redacted**] Committee members, [**redacted**] expressed their disagreement. [**redacted**].

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Review of Canadian Security Intelligence Service Info Sharing: Backgrounder

Review of Canadian Security Intelligence Service Info Sharing

Backgrounder

Backgrounder

The Security Intelligence Review Committee (SIRC) began reviewing the Canadian Security Intelligence Service’s (CSIS) information-sharing practices with non-Canadian entities before NSIRA was established. In 2019, when the NSIRA Act was passed, NSIRA finalized the completion the review.

CSIS considers information sharing with non-Canadian entities essential to its mandate of investigating and protecting against threats to Canada’s security. This review focuses on activities from 2018-2019, prior to the passing of the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA).

Previous SIRC reviews of CSIS had raised concerns about its information-sharing practices with foreign entities, including:

  • Inadequate evaluation and documentation of risks related to caveats and assurances,
  • A need for more consistent adherence to Deputy Director Operations directives, and
  • Failure to secure or maintain assurances on the handling of disclosed CSIS information.

This review focused on whether CSIS has addressed these concerns. It found issues in the decision-making process, particularly when sharing information with persons at higher risk of mistreatment. The review also looked at how policy and procedure changes could improve compliance.

Since the time this review was completed, CSIS made several key updates to its information-sharing policies and procedures. These changes were influenced by the ACA’s passage and recommendations from other NSIRA reviews of CSIS which occurred since 2019. NSIRA also now conducts an annual review of the implementation of ACA-related directions, including those at CSIS. This annual review ensures that the Government of Canada is accountable for the information it shares with foreign partners and upholds Canadian values and commitments.

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Review of the Canada Border Services Agency’s Confidential Human Source Program: Report

Review of the Canada Border Services Agency’s Confidential Human Source Program

Report

Table of Contents
  1. HTML Version Coming Soon

Date of Publishing:

HTML Version Coming Soon

Our team is working on an HTML version of this content to enhance usability and compatibility across devices. We aim to make it available in the near future. Thank you for your patience!

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Review of Departmental Implementation of the Avoiding Complicity in Mistreatment by Foreign Entities Act for 2022: Report

Review of Departmental Implementation of the Avoiding Complicity in Mistreatment by Foreign Entities Act for 2022

Report

Date of Publishing:

Abbreviations and Their Full Forms
Abbreviation Full Form
ACA Avoiding Complicity in Mistreatment by Foreign Entities Act
CBSA Canada Border Services Agency
CRA Canada Revenue Agency
CSE Communications Security Establishment
CSIS Canadian Security Intelligence Service
DFO Department of Fisheries and Oceans
DND/CAF Department of National Defence/Canadian Armed Forces
FINTRAC Financial Transactions and Reports Analysis Centre of Canada
GAC Global Affairs Canada
GC Government of Canada
HRR Human Rights Report
IRCC Immigration, Refugees and Citizenship Canada
ISCG Information Sharing Coordination Group
MD Ministerial Direction
NSIRA National Security and Intelligence Review Agency
OiC Order in Council
PS Public Safety Canada
RCMP Royal Canadian Mounted Police
SRM Substantial risk of mistreatment
TC Transport Canada
Abréviations et leurs formes complètes
Abréviation Forme complète
AMC Affaires mondiales Canada
ARC Agence du revenu du Canada
ASFC Agence des services frontaliers du Canada
CANAFE Centre d’analyse des opérations et déclarations financières du Canada
CST Centre de la sécurité des télécommunications
OC Décret en conseil
GC Gouvernement du Canada
GCER Groupe de coordination d’échange de renseignements
GRC Gendarmerie royale du Canada
IM Instructions du ministre
IRCC Immigration, Réfugiés et Citoyenneté Canada
LECCMTIEE Loi visant à éviter la complicité dans les cas de mauvais traitements infligés par des entités étrangères
MON/FAC Ministère de la Défense nationale/Forces armées canadiennes
MPO Ministère des Pêches et des Océans
OSSNR Office de surveillance des activités en matière de sécurité nationale et de renseignement
RDP Rapport sur les droits de la personne
RSMT Risque sérieux de mauvais traitements
SCRS Service canadien du renseignement de sécurité
SP Sécurité publique Canada
TC Transports Canada
Key Terms and Definitions
Term Definition
2017 MDs Ministerial Directions (MDs) issued to CBSA, CSIS, CSE, DND/CAF, GAC, and RCMP in 2017 regarding avoiding complicity in mistreatment by foreign entities.
departments Refers, in the context of this review, to those departments and agencies whose deputy heads have been issued written directions under the ACA.
foreign entities As defined in the 2017 MDs: “may include foreign governments, their departments, agencies and militaries, and may also refer to military coalitions, alliances, and international organizations.”
mistreatment As defined in section 2 of the ACA: “torture or other cruel, inhuman or degrading treatment or punishment, within the meaning of the Convention Against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment, signed at New York on December 10, 1984 (mauvais traitements).”
policy Frameworks, policies, directives, standards, guidelines, and tools developed to, in the context of this review, govern departments’ implementation of the ACA.
instruments Developed to, in the context of this review, govern departments’ implementation of the ACA.
residual risk The level of risk that remains in a given context after mitigations are applied.
substantial risk As defined in the 2017 MDs: “A personal, present, and foreseeable risk of mistreatment. In order to be ‘substantial’, the risk must be real and must be based on something more than mere theory or speculation. In most cases, the test of a substantial risk of mistreatment will be satisfied when it is more likely than not that there will be mistreatment; however, in some cases, particularly where the risk is of severe harm, the ‘substantial risk’ standard may be satisfied at a lower level of probability.”
untreated risk The level of risk in a given context before any mitigations are applied.
Glossaire des termes
Terme Définition
Entités Terme employé dans les IM de 2017 pour désigner « les gouvernements étrangers, leurs ministères et organismes, et leurs forces militaires. Il peut aussi s’appliquer à des coalitions militaires, à des alliances et à des organisations internationales. »
IM de 2017 Instructions du ministre (IM) émises en 2017 à l’intention de l’ASFC, du SCRS, du CST, du MON/FAC, d’AMC et de la GRC visant à éviter la complicité dans les cas de mauvais traitements infligés par des entités étrangères.
Instruments de politique Cadres de travail, politiques, directives, normes, lignes directrices et outils conçus pour encadrer la mise en œuvre de la LECCMTIEE par divers ministères.
Mauvais traitements Terme défini à l’article 2 de la LECCMTIEE : « [t]orture ou autres peines ou traitements cruels, inhumains ou dégradants », selon la Convention contre la torture (1984).
Risque non atténué Terme désignant le niveau de risque qui existe avant l’application de mesures d’atténuation.
Risque résiduel Terme désignant le niveau de risque qui persiste après l’application de mesures d’atténuation.
Risque sérieux Terme employé dans les IM de 2017 pour désigner « un risque personnel, sérieux, présent et prévisible de mauvais traitements. Pour être “sérieux”, le risque doit être réel et reposer sur plus que des spéculations. Dans la plupart des cas, le critère sera satisfait lorsque le risque de mauvais traitements est plus probable qu’improbable. »

Executive Summary

This review assessed departments’ compliance with the Avoiding Complicity in Mistreatment by Foreign Entities Act (or Avoiding Complicity Act; ACA) and their implementation of the ACA’s associated directions during the 2022 calendar year. Within this context, the review pursued a thematic focus on departments’ conduct of risk assessments, including the ways in which their methodologies may lead to a systematic under-assessment of the level of risk involved in an information-sharing transaction.

NSIRA’s findings and recommendations in this report reflect both developments and stagnations in departments’ implementation of the directions over time. Of note, NSIRA observed efforts in 2022 to collaborate interdepartmentally, and standardize certain practices across the Government of Canada. While these efforts reflect an improvement over past approaches, they fall short of the directions’ envisioned consistent framework for foreign information sharing government-wide. Additionally, NSIRA observed a number of practices that may lead departments to systematically under-assess the risks involved in contemplated information exchanges. Such under-assessments may, in turn, lead to information being exchanged in contravention of the directions’ prohibitions.

NSIRA made five recommendations in this review. Collectively, they would ensure that all departments’ ACA frameworks reflect a degree of standardization commensurate with the spirit of the ACA and its associated directions; and that these frameworks are designed to support compliance with the directions.

Introduction

Authority

This review was conducted pursuant to paragraph 8(1 )(b), paragraph 8(2.1 )(c), and subsection 8(2.2) of the National Security and Intelligence Review Agency Act (NSIRA Act).

Scope of the Review

This review assessed departments’ compliance with the Avoiding Complicity in Mistreatment by Foreign Entities Act (or Avoiding Complicity Act; ACA) and their implementation of the ACA’s associated directions during the 2022 calendar year. Within this context, the review pursued a thematic focus on departments’ conduct of risk assessments, including the ways in which their methodologies may lead to a systematic under-assessment of the level of risk involved in an information-sharing transaction.

The review included all departments that have been issued directions under the ACA: Canada Border Services Agency (CBSA); Canada Revenue Agency (CRA); Communications Security Establishment (CSE); Canadian Security Intelligence Service (CSIS); Department of Fisheries and Oceans (DFO); Department of National Defence and Canadian Armed Forces (DND/CAF); Financial Transactions and Reports Analysis Centre of Canada (FINTRAC); Global Affairs Canada (GAC); Immigration, Refugees and Citizenship Canada (IRCC); Public Safety Canada (PS); Royal Canadian Mounted Police (RCMP); and Transport Canada (TC).

The review also considered DND/CAF’s implementation of Ministerial Direction (MD) it received in 2022 regarding avoiding complicity in mistreatment by foreign entities.

Methodology

NSIRA conducted a document review of departments’ ACA policy instruments, and departments’ associated written explanations, provided in response to requests for information. NSIRA also conducted a comparative analysis of a targeted sample of departmental risk assessments pertaining to 19 countries, and to the foreign entities within those countries for which such assessments existed. NSIRA assessed compliance with reporting requirements based on primary records made public or submitted to NSIRA in accordance with the ACA and its directions.

Review Statements

CBSA, CRA, DFO, DND/CAF, FINTRAC, IRCC, PS, RCMP, and TC met NSIRA’s expectations for responsiveness during this review. CSE, CSIS, and GAC only partially met NSIRA’s expectations, as CSE did not consistently respond to NSIRA’s requests for information in a format that met the review’s requirements; and CSIS and GAC did not consistently respond to NSIRA’s requests in a timely manner

NSIRA was able to verify information for this review in a manner that met expectations.

NSIRA wishes to thank PS for its assistance in coordinating the factual accuracy consultations for this review.

Background

The ACA and the directions issued pursuant to it seek to prevent the Government of Canada (GC) from disclosing information to—or requesting information from—a foreign entity that would result in substantial risk of mistreatment (SRM) of an individual, and to set limitations on the use of information that is likely to have been obtained through mistreatment. The objective of the directions is to demonstrate the Government’s commitment to make Canada’s information sharing regime more transparent, consistent, and accountable; and to enhance oversight on a government-wide basis.

In 2019, directions were issued pursuant to the ACA, by Order in Council (OiC), to the deputy heads of twelve departments and agencies. For CBSA, CSE, CSIS, DND/CAF, GAC, and RCMP, the OiC directions replaced MDs that had been issued in 2017. In adding CRA, DFO, FINTRAC, IRCC, PS, and TC as recipients, the OiC directions broadened the application of measures to prevent mistreatment.

NSIRA has previously reviewed departments’ implementation of the 2017 MDs and, as required under the NSIRA Act, implementation of the OiC directions in every year since the ACA’s coming into force. This is NSIRA’s fourth such annual review.

Findings, Analysis, and Recommendations

Compliance with the ACA

Finding 1. NSIRA found that all departments, with the exception of DFO in respect of subsection 7(1), complied with the reporting requirements set out in the ACA.

Subsection 7(1) of the ACA requires deputy heads to submit, before March 1 of each year, a report to their Minister in respect of the directions’ implementation during the previous calendar year. DFO submitted its report to the Minister of Fisheries, Oceans, and the Canadian Coast Guard on April 12, 2023, which was 42 days following the legislated deadline.

Sections 5 through 8 of the ACA set out additional reporting requirements with which all deputy heads and Ministers complied.

Implementation of the Directions

Finding 2. NSIRA found that all departments had frameworks to govern their implementation of the ACA and its associated directions by the end of 2022.

NSIRA’s ACA review for 2021 found that all departments, with the exception of CBSA and PS, had fully implemented ACA governance frameworks. Both CBSA and PS implemented such frameworks in the course of this year’s review. Their policies came into effect on September 1, 2022 and January 1, 2022, respectively.

Finding 3. NSIRA found that most departments demonstrated continual refinements of their ACA frameworks based on self-identified gaps, NSIRA recommendations, and community-wide coordination efforts.

In 2022, most departments focused their refinement efforts on codifying existing practices in formal policy instruments, and developing more fine-grained procedures and guidance to support their implementation. Degrees of refinement varied across departments, generally in line with the maturity of their respective frameworks. Of note amongst these efforts:

  • DND/CAF finalized an updated policy framework, which now includes, among other elements, a new MD to supplement the OiC directions and facilitate their implementation;
  • ROMP restructured and internally reallocated resources to support the conduct of ACA risk assessments and related approvals;
  • CRA, DFO, DND/CAF, and RCMP were taking steps to broaden their frameworks’ application across departmental business lines;
  • CBSA, CRA, DND/CAF, IRCC, PS, and RCMP were elaborating or enhancing risk assessment tools to support decision-makers’ identification of cases involving SRM; and
  • CBSA, CRA, CSIS, DND/CAF and RCMP were developing ACA-related internal training modules.

In 2022, CSE, DND/CAF, and GAC each undertook internal reviews of aspects of their ACA implementation frameworks. Where formal reviews were not undertaken, observed refinements reflected topics raised in prior NSIRA reviews and informal interdepartmental benchmarking conducted in forums like the PS-chaired Information Sharing Coordination Group (ISCG), which includes all departments subject to the directions as members.

Finding 4. NSIRA found that TC’s ACA governance framework did not include policies and procedures for:

  1. escalating cases to the deputy head; or
  2. assessing the risks of information sharing with foreign entities.

The directions require that cases be referred to deputy heads under specified conditions (elaborated in paragraph 34, below). Departments may determine the mechanism and thresholds for such referrals according to their operational requirements. In practice, the governance frameworks of all departments but TC use pre-determined escalation ladders—beginning with operational staff and concluding with referral to the deputy head—to triage ACA cases.

Although TC’s responses to information requests from NSIRA described an escalation ladder culminating with the Deputy Minister of Transport, its policy instruments do not include any policies or procedures for escalating ACA cases beyond operational staff.

TC’s corporate policy for ACA implementation states that TC must “develop and maintain policies and procedures for assessing the risks posed by foreign entities.” NSIRA’s ACA review for 2019 critiqued the lack of detail in TC’s policy, citing concerns with the department’s framework for deciding whether a disclosure would result in SRM and its lack of a framework for determining whether an identified SRM could be mitigated. TC has stated that these gaps have not yet been addressed, given interdepartmental efforts to implement program enhancements to reduce the risk of mistreatment related to the exchange of information.

All ACA frameworks require a mechanism for case escalation to the deputy head, and a sufficiently-robust risk assessment process to identify when an information exchange may involve SRM, even when such exchanges are infrequent.

Recommendation 1. NSIRA recommends that TC update its ACA governance framework to include policies and procedures for:

  1. escalating cases to the deputy head; and
  2. assessing the risks of information sharing with foreign entities

Finding 5. NSIRA found that all departments, with the exception of DFO, GAC, PS, and TC, used country and/or entity risk assessments to inform their assessments of substantial risk of mistreatment and corresponding case escalation.

In order to implement the directions, departments must understand the risks of sharing information with particular foreign entities, including country-level human rights conditions. To this end, most departments use formalized country and/or entity risk assessments as a baseline for assessing case-specific risks and for considering case-specific mitigations.

In some departments, levels of baseline country or entity risk correlate directly with particular levels of approval within their ACA escalation ladders, such that increasingly-senior levels of officials are expected to oversee any mitigations considered or applied in risky contexts. In other departments, escalation is tied to case-specific mistreatment risk assessments that incorporate mitigations, such that escalation is based on residual risks. In these departments, cases of satisfactorily- mitigated substantial risk do not always trigger departmental thresholds for more senior oversight. CSIS’s escalation framework is unique in that the required level of approval depends on both the risk of the transaction itself and the status of the Service’s information-sharing arrangement with the foreign entity.

DFO, GAC, PS, and TC’s risk assessment processes do not involve a baseline assessment of untreated country or entity risk. At DFO, PS, and TC, this is because relevant information exchanges are seen to be so infrequent that case-specific assessments may be conducted when required. GAC, conversely, compiles relevant baseline information in a set of descriptive Human Rights Reports (HRRs), which convey relevant country context—including specifics related to torture and mistreatment—but do not assign a corresponding risk rating or assessment; GAC assesses risk in relation to particular information exchanges, as they arise.

In 2022, CBSA, CSE, CSIS, DND/CAF, FINTRAC, and RCMP each used country and/or entity assessments that they had developed internally to inform their assessments of mistreatment risk. They relied on similar sources of information to conduct these assessments, including GAC’s HRRs (although these did not exist for every country with which departments exchanged information).

In 2022, CRA and IRCC used the country risk ratings assigned by CSIS and RCMP, respectively, as their baseline indicator of a transaction’s potential risk. In both cases, CRA and IRCC received only the overall level of risk assigned to each country, and not any supporting assessment details. Both CRA and IRCC have identified their lack of in-house baseline assessments as gaps in their ACA risk assessment frameworks and are taking steps to develop the required methodologies.

While residual risks in case-specific risk assessments are expected to reflect the particularities of individual information exchanges, these must be considered in relation to the broader human rights environment in which the exchange will be made. Some departments’ case-specific risk assessment methodologies explicitly integrate the corresponding baseline country or entity risk rating. At CBSA, CSE, and DND/CAF, these ratings are matrixed with particularities of the information being considered for exchange. At GAC and RCMP, the ratings are matrixed with personal characteristics of the individual(s) who may be subject to mistreatment.

Finding 6. NSIRA found that departments’ country risk assessments were inconsistent with one another.

In its 2017 MD review, NSIRA recommended that departments develop a unified framework for assessing mistreatment risks at the country level. In each ACA review since, NSIRA has maintained its position that human rights risks within a given country should be assessed consistently across the GC.

In 2022, NSIRA observed widespread discrepancies across departments’ baseline country risk assessments, despite their reliance on similar sources of information. Within the sample of risk assessments reviewed, there were only two countries for which all departments assigned the same risk rating. For some countries, discrepancies were so drastic that different GC departments simultaneously assessed the human rights risk as low, medium, and high. Annex A presents a comparison of risk ratings assigned by each assessing department for each country within the sample.

Three main factors contributed to these discrepancies. First, risk ratings were often tied to dated assessments that failed to account for more recent developments within a country. Second, departments used different indicators of mistreatment in their methodologies. Third, departments weighted the impact of these indicators differently. For example, whereas CSIS weighted each indicator equally, in service of an overall human rights picture, CSE attributed a higher weight for indicators more likely to impact the mistreatment of an individual. DND/CAF was the only department to include an automatic trigger for a high risk rating, irrespective of other moderating considerations, when systemic mistreatment was observed within a country.

To identify differences in risk ratings and to understand the reasons for them, DND/CAF convened a working-level “human rights summit” in late 2022, with participation by CSE, CSIS, and GAC. While the summit was considered a success by all participants, identifying and understanding discrepancies falls short of NSIRA’s recommended unified set of assessments. Although participants regularly signalled that they would consider new information within their own internal assessment frameworks, they rarely committed to changes that would align their risk ratings.

In response to recommendations made in NSIRA’s ACA review for 2019, GC institutions stated their position that a standardized approach was unfeasible, given the “diverse operational activities and mandates” of the twelve implicated departments. NSIRA does not agree that the activities or mandates of the assessing GC departments are relevant considerations in the determination of baseline country or entity risks.

Finding 7. NSIRA found that the simultaneous conduct of independent human rights risk assessments in different departments reflected a substantial duplication of effort across the GC, and created the opportunity for discrepant outcomes.

Departments’ conduct of independent human rights risk assessments leads to an unnecessary drain on resources. This duplication of efforts also creates the opportunity for discrepant assessments, which are replicated across the GC when siloed risk ratings are borrowed by departments that do not internally assess risk. Where discrepancies reflect an under-assessment of baseline risk, departments may undertake information exchanges that contravene the directions’ prohibitions.

Within the sample of countries for which NSIRA requested departments’ risk assessments, departments did not frequently engage with the same foreign entities. While the present report does not, therefore, comment on the alignment of entity assessments across departments in 2022, NSIRA emphasizes the importance of aligning assessments in cases where multiple departments do deal with the same foreign entity. Departments may apply mitigations that are unique to their bilateral partnerships with the entity in question, but—for the same reasons elaborated above vis-a-vis country risk—this should always be done in relation to a baseline risk that is assessed consistently across the GC.

Recommendation 2. NSIRA recommends that the Government of Canada designate a body responsible for developing:

  1. a unified set of assessments of the human rights situations in foreign countries including a standard “risk of mistreatment” classification level for each country; and
  2. to the extent that multiple departments deal with the same foreign entities in a given country, standardized assessments of the risk of mistreatment of sharing information with foreign entities.

Decisions on Substantial Risk of Mistreatment

Finding 8. NSIRA found, for the fourth consecutive year, that no departments escalated cases to their deputy heads for determination or decision.

Subsections 1(2) and 2(2) of the directions require, respectively, that information disclosures and requests be referred to deputy heads for determination in cases where departmental officials are unable to determine whether an associated SRM can be mitigated. Paragraph 3(1 )(c) requires deputy—or, exceptionally, senior official—authorization to use information that is likely to have been obtained through mistreatment in any way that would deprive someone of their rights or freedoms.

When cases are escalated under these provisions, subsection 4(1) of the directions imposes reporting requirements for deputy heads. Since no cases were escalated in 2022, departments did not engage these requirements.

The lack of referrals under subsections 1(2) and 2(2) is conspicuous, given that cases had been escalated to deputy heads under the 2017 MDs. The lack of authorizations under paragraph 3(1)(c) is inconspicuous, given the rarity of factual circumstances that would warrant such authorization.

Finding 9. NSIRA found that some high-risk sharing activities were stopped prior to escalation for consideration of possible mitigations.

The lack of referrals to deputies under subsections 1(2) and 2(2) should not be construed as implying that departments failed to identify any cases meeting the threshold of “substantial,” or that all cases of mitigated SRM were approved before they could be escalated for deputy-level consideration.

CRA, CSIS, DND/CAF, GAC, IRGC, and RCMP each reported to NSIRA that they had contemplated transactions involving SRM in 2022—but not all of these contemplated transactions resulted in an information exchange. In some cases, the transaction was stopped before it could be escalated for more senior consideration of potential mitigations. Table 1 summarizes the outcomes of decisions taken in relation to each contemplated transaction involving SRM in 2022.

Table 1: Number of transactions involving SRM contemplated in 2022, by decision outcome
Department Total # Considered # approved # denied / not approved # ongoing as of 2022-12-31
CRA [**redacted**] [**redacted**] [**redacted**] [**redacted**]
CSIS [**redacted**] [**redacted**] [**redacted**] [**redacted**]
DND/CAF [**redacted**] [**redacted**] [**redacted**] [**redacted**]
GAC [**redacted**] [**redacted**] [**redacted**] [**redacted**]
IRCC [**redacted**] [**redacted**] [**redacted**] [**redacted**]
RCMP [**redacted**] [**redacted**] [**redacted**] [**redacted**]
All departments: [**redacted**] [**redacted**] [**redacted**] [**redacted**]

While the vast majority of substantial risk transactions contemplated in 2022 were approved, [**redacted**] were denied or otherwise not completed. For GAC and IRCC, the transactions that did not move forward reflect a substantial proportion of all substantial risk cases subject to formal consideration (64% and 33%, respectively).

Departmental frameworks often include features that reflect a fundamental risk aversion that would result in fewer cases being escalated to deputies. CSE, for instance, allows a transaction to be denied at the initial stages of consideration when it is abundantly clear that there is SRM that cannot be mitigated below the level of substantial. Other departments, like DND/CAF, PS, and RCMP, explicitly incorporate strategic considerations, such as the operational rationale for pursuing the exchange or the importance of the bilateral relationship, when deciding whether to escalate or deny a case. If the operational rationale is lacking, the corresponding cases will fall out of (or never enter into) the ACA escalation ladder, in a manner consistent with the directions’ spirit.

Finding 10. NSIRA found that certain departments’ ACA governance frameworks and risk assessment methodologies included features that may systematically under-assess the level of risk involved in a transaction. These features include:

  • discrepant applications of the threshold for substantial risk of mistreatment;
  • incorporating mitigations into baseline assessments of risk, while overestimating their effects; and
  • a lack of checks and balances in the risk assessment process.

When the level of risk is under-assessed, cases involving substantial risk may be approved at lower levels in departments’ escalation ladders without the intended levels of corresponding oversight, or may never be escalated in the first place. In these contexts, there is an increased likelihood that information may be disclosed or requested in contravention of the directions’ prohibitions.

Discrepant applications of the threshold for SRM

Mid-2021, all ISCG members agreed to adopt the definition for “substantial risk’’ that was provided in the 2017 MDs:

“a personal, present and foreseeable risk of mistreatment In order to be “substantial”, the risk must be real and must be based on something more than mere theory or speculation. In most cases, the test of a substantial risk of mistreatment will be satisfied when it is more likely than not that there will be mistreatment; however, in some cases, particularly where the risk is of severe harm, the “substantial risk” standard may be satisfied at a lower level of probability.”

The same definition was also codified in DND/CAF’s 2022 MD.

The agreed-upon definition is reflected in the policy documents of CSE, DFO, FINTRAC, GAG, PS, and ROMP, as well as (with some added precisions) CSIS and DND/CAF. Despite their agreement to adopt the same definition, however, CBSA, ORA, IRGC, and TO have not consistently updated their internal policy instruments to reflect the definition in its entirety.

Even where the definition has been formally integrated within broader policies, the threshold of probability for “substantial” has not been consistently applied. Risk assessment tools often failed to incorporate the language of “more likely than not” (and the greater-than-50% threshold it entails), or to clarify how to apply a lower level of probability when there is risk of severe harm. [**redacted**]

Lack of clear direction within policy suites increases the likelihood that departments may apply a threshold for SRM that is incommensurate with the circumstances.

Applying the SRM threshold requires clarity, as well, on what constitutes “mistreatment.” Although a definition for “mistreatment” is provided in the ACA, departments did not always agree on appropriate indicators thereof. At the 2022 “human rights summit,” for instance, it was noted that [**redacted**] whereas DND/CAF included it as an indicator of “due process.” When the definition of mistreatment is too narrowly scoped, SRM may be under-assessed.

Recommendation 3. NSIRA recommends that departments apply the “substantial risk” threshold in a manner consistent with the definition adopted government-wide; and that departments whose broader policy frameworks do not yet reflect this definition (CBSA, CRA, IRCC, and TC) make the attendant updates.

Incorporating mitigations into baseline assessments of risk, while overestimating their effects

The directions allow departments to apply mitigations, such as caveats or assurances, to lower the level of a transaction’s risk below “substantial.” Departments that use entity assessments as their starting point for assessing SRM often incorporate such mitigations into their baseline assessment of risk, such that risk ratings reflect a lowered, residual risk of mistreatment instead of an untreated SRM for which subsequent mitigations may be considered.

Within the sample of risk assessments reviewed, CSIS and DND/CAF tended to assess entity risk as lower than the corresponding country risk. NSIRA did not find that their entity risk assessments sufficiently accounted for systemic risks of mistreatment observed in the entity’s country-level operating environment. For CSIS, this dynamic was particularly evident in [**redacted**].

The impact of incorporating mitigations into baseline assessments of risk is accentuated when departments overestimate the effect of mitigations, or base their entity assessments on inappropriate considerations.

The weight attributed to caveats and assurances, as baseline mitigations, was often artificially high. Prior NSIRA reviews have observed gaps in departments’ ability to verify whether a country or entity has actually complied with caveats or assurances. NSIRA did not observe evidence, in 2022, that departments had taken steps to improve their confidence in entities’ compliance with caveats or assurances, nor that they had moderated the expected effect of such mitigations when assigning entity risk levels.

Additionally, NSIRA observed assessments where entity risk may have been influenced by inappropriate considerations, such as the strength of a department’s bilateral relationship with the entity in question, or an absence of derogatory information particular to that entity. For example, FINTRAC’s SRM assessment form specifically prompts users to evaluate the strength of FINTRAC’s bilateral relations with its foreign counterpart. In addition, some departments’ assessments appeared to discount risks reported in open sources in situations where confirmatory intelligence was unavailable.

NSIRA maintains the position elaborated in its ACA review for 2020 that all bilateral exchanges should be assessed through the lens of country risk, given that even so- called “trusted partners” are embedded in the information-sharing hierarchies and human rights contexts of their respective countries. Understanding the human rights risks within a country is a precursor for developing sound entity or case ­specific risk assessments.

Recommendation 4. NSIRA recommends that departmental assessments of substantial risk of mistreatment be grounded in countries’ human rights records; and that subsequent entity-level considerations be based on validated, current, and consistent respect for caveats and assurances, rather than the absence of derogatory information particular to that entity or other bilateral considerations.

Lack of checks and balances in the risk assessment process

Including checks and balances in the risk assessment process minimizes the likelihood of generating an under-assessment of risk. Checks and balances are present where decisions on case escalation are separated from decisions on whether a case meets the threshold for SRM.

In 2022, many departments achieved this separation by building robust case triage practices into their case escalation frameworks. For instance, CRA, IRCC and RCMP initially escalate cases based on an externally-assigned or pre-determined country or entity risk rating, irrespective of the level of risk attributed to the specific transaction.

Similarly, CBSA and DND/CAF initially escalate cases based on case-specific assessments that matrix a baseline, externally-assigned, risk rating with features of the information being considered for exchange.

DFO’s framework achieves the same effect, despite not relying on a baseline risk rating, by escalating individual cases based on the presence of any potential risk of mistreatment. This threshold is feasible at DFO, given its low frequency of foreign information exchange; departments with higher volumes of information exchange may feasibly achieve a similar effect by escalating cases, at the outset, based on a threshold lower than “substantial.”

Other frameworks achieve a similar separation by ensuring that decisions on substantial risk are decided by officials outside the chain of command of operational personnel involved in the exchange. The ROMP, for instance, prohibits a member of its ACA senior management advisory committee from chairing the discussion of a case recommended from their own business line. To enhance this separation of powers, NSIRA recommended in its ACA review for 2021 that recommendations flowing from this committee be referred to an Assistant Commissioner who is not accountable for the branch from which the case originates. Such practices are consistent with NSIRA’s 2017 MD review recommendation that, in cases where the risk of mistreatment approaches the threshold of “substantial,” decisions should be made independently of operational personnel directly invested in the outcome.

CSE’s ACA policy instruments convey a layering of checks and balances: every instance of foreign information exchange that could lead to the identification of an individual is subject to a mistreatment risk assessment; these assessments are conducted by dedicated information-sharing teams, independently from operational personnel; determinations on the nature of mistreatment risk assessment required (annual, in low risk contexts; case-by-case, in all others) are made on the basis of pre-determined country risk ratings; subsequent case escalation reflects an upward triage based on gradations of mistreatment risk; and this escalation occurs exclusively within CSE’s Authorities, Compliance, and Transparency sector, as opposed to an operational branch.

CSIS’s policy instruments do not convey the same degree of checks and balances [**redacted**].

Recommendation 5. NSIRA recommends that all ACA governance frameworks incorporate layered checks and balances in the risk assessment and escalation of cases that may involve substantial risk of mistreatment.

Conclusion

In this fourth annual review of the ACA directions’ implementation, NSIRA made findings related to compliance with the ACA’s reporting requirements; the alignment of departments’ governance frameworks with the direction’s provisions for information sharing; and departmental practices for identifying cases that may involve SRM.

NSIRA’s findings and recommendations in this report reflect both developments and stagnations in departments’ implementation of the directions over time. Of note, NSIRA observed efforts in 2022 to collaborate interdepartmentally, and standardize certain practices across the GC. While these efforts reflect an improvement over past approaches, they fall short of the directions’ envisioned consistent framework for foreign information sharing government-wide. Additionally, NSIRA observed a number of practices that may lead departments to systematically under-assess the risks involved in contemplated information exchanges. Such under-assessments may, in turn, lead to information being exchanged in contravention of the directions’ prohibitions.

NSIRA made five recommendations in this review. Collectively, they would ensure that all departments’ ACA frameworks reflect a degree of standardization commensurate with the spirit of the ACA and its associated directions; and that these frameworks are designed to support compliance with the directions.

Appendices

Annex A. Sample of Country Risk Ratings

Table 2 presents the risk ratings for each country within the sample (n=19), as assigned by each department that relied on its own internally-developed country risk assessments in 2022.

Table 2: Sample of country risk ratings, per assessing department (as of November 2022)
  CBSA CSE CSIS DND/CAF FINTRAC RCMP
Country 1 No Assessment Mixed
(Medium risk)		 Low
(Low risk)		 High
(High risk)		 Moderate
(Medium risk)		 No Assessment
Country 2 No Assessment Poor
(High risk)		 Low
(Low risk)		 Medium
(Medium risk)		 No Assessment Medium
(Medium risk)
Country 3 High
(High risk)		 Poor
(High risk)		 High
(High risk)		 High
(High risk)		 High
(High risk)		 High
(High risk)
Country 4 No Assessment Poor
(High risk)		 Low
(Low risk)		 Medium
(Medium risk)		 No Assessment No Assessment
Country 5 No Assessment Poor
(High risk)		 High
(High risk)		 High
(High risk)		 Moderate
(Medium risk)		 Medium
(Medium risk)
Country 6 No Assessment Poor
(High risk)		 High
(High risk)		 High
(High risk)		 No Assessment High
(High risk)
Country 7 No Assessment Poor
(High risk)		 High
(High risk)		 High
(High risk)		 Moderate
(Medium risk)		 Medium
(Medium risk)
Country 8 No Assessment Poor
(High risk)		 High
(High risk)		 Medium
(Medium risk)		 No Assessment Medium
(Medium risk)
Country 9 *No GAC HRR available Low
(Low risk)		 Mixed
(Medium risk)		 Low
(Low risk)		 Low
(Low risk)		 Low
(Low risk)		 Low
(Low risk)
Country 10 High
(High risk)		 Poor
(High risk)		 Medium
(Medium risk)		 Medium
(Medium risk)		 Moderate
(Medium risk)		 Medium
(Medium risk)
Country 11 No Assessment Poor
(High risk)		 High
(High risk)		 High
(High risk)		 No Assessment Medium
(Medium risk)
Country 12 High
(High risk)		 Mixed
(Medium risk)		 High
(High risk)		 Medium
(Medium risk)		 High
(High risk)		 Medium
(Medium risk)
Country 13 No Assessment Poor
(High risk)		 High
(High risk)		 High
(High risk)		 Moderate
(Medium risk)		 High
(High risk)
Country 14 No Assessment Poor
(High risk)		 High
(High risk)		 High
(High risk)		 High
(High risk)		 Medium
(Medium risk)
Country 15 Medium
(Medium risk)		 Mixed/Poor
(High risk)		 Low
(Low risk)		 High
(High risk)		 Moderate
(Medium risk)		 No Assessment
Country 16 No Assessment Mixed
(Medium risk)		 Low
(Low risk)		 High
(High risk)		 Moderate
(Medium risk)		 Medium
(Medium risk)
Country 17 No Assessment Mixed
(Medium risk)		 Low
(Low risk)		 Medium
(Medium risk)		 Moderate
(Medium risk)		 Medium
(Medium risk)
Country 18 No Assessment Poor
(High risk)		 High
(High risk)		 High
(High risk)		 Moderate
(Medium risk)		 High
(High risk)
Country 19 High
(High risk)		 Poor
(High risk)		 Medium
(Medium risk)		 High
(High risk)		 Moderate
(Medium risk)		 Medium
(Medium risk) – Under Review

Annex B. Findings and Recommendations

NSIRA made the following findings and recommendations in this review:

Compliance with the ACA

Finding 1. NSIRA found that all departments, with the exception of DFO in respect of subsection 7(1), complied with the reporting requirements set out in the ACA.

Implementation of the Directions

Finding 2. NSIRA found that all departments had frameworks to govern their implementation of the ACA and its associated directions by the end of 2022.

Finding 3. NSIRA found that most departments demonstrated continual refinements of their ACA frameworks based on self-identified gaps, NSIRA recommendations, and community-wide coordination efforts.

Finding 4. NSIRA found that TC’s ACA governance framework did not include policies and procedures for:

  1. escalating cases to the deputy head; or
  2. assessing the risks of information sharing with foreign entities.

Recommendation 1. NSIRA recommends that TC update its ACA governance framework to include policies and procedures for:

  1. escalating cases to the deputy head; and
  2. assessing the risks of information sharing with foreign entities.

Finding 5. NSIRA found that all departments, with the exception of DFO, GAC, PS, and TC, used country and/or entity risk assessments to inform their assessments of substantial risk of mistreatment and corresponding case escalation.

Finding 6. NSIRA found that departments’ country risk assessments were inconsistent with one another.

Finding 7. NSIRA found that the simultaneous conduct of independent human rights risk assessments in different departments reflected a substantial duplication of effort across the GC, and created the opportunity for discrepant outcomes.

Recommendation 2. NSIRA recommends that the Government of Canada designate a body responsible for developing:

  1. a unified set of assessments of the human rights situations in foreign countries including a standard “risk of mistreatment” classification level for each country; and
  2. to the extent that multiple departments deal with the same foreign entities in a given country, standardized assessments of the risk of mistreatment of sharing information with foreign entities.

Decisions on Substantial Risk of Mistreatment

Finding 8. NSIRA found, for the fourth consecutive year, that no departments escalated cases to their deputy heads for determination or decision.

Finding 9. NSIRA found that some high-risk sharing activities were stopped prior to escalation for consideration of possible mitigations.

Finding 10. NSIRA found that certain departments’ ACA governance frameworks and risk assessment methodologies included features that may systematically under­assess the level of risk involved in a transaction. These features include:

  • discrepant applications of the threshold for substantial risk of mistreatment;
  • incorporating mitigations into baseline assessments of risk, while overestimating their effects; and
  • a lack of checks and balances in the risk assessment process.

Recommendation 3. NSIRA recommends that departments apply the “substantial risk” threshold in a manner consistent with the definition adopted government-wide; and that departments whose broader policy frameworks do not yet reflect this definition (CBSA, CRA, IRGC, and TC) make the attendant updates.

Recommendation 4. NSIRA recommends that departmental assessments of substantial risk of mistreatment be grounded in countries’ human rights records; and that subsequent entity-level considerations be based on validated, current, and consistent respect for caveats and assurances, rather than the absence of derogatory information particular to that entity or other bilateral considerations.

Recommendation 5. NSIRA recommends that all ACA governance frameworks incorporate layered checks and balances in the risk assessment and escalation of cases that may involve substantial risk of mistreatment.

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Departmental Results Report: 2023-24 – At a Glance

Date of Publishing:

Results at a glance

A departmental results report provides an account of actual accomplishments against plans, priorities and expected results set out in the associated Departmental Plan.

Key priorities

NSIRA Secretariat’s top priorities for 2023-24 were as follows:

  • Mandatory reviews related to the Canadian Security Intelligence Service (CSIS), the Communications Security Establishment (CSE), the Security of Canada Information Disclosure Act and Governor in Council directions under the Avoiding Complicity in Mistreatment by Foreign Entities Act.
  • Completing the Review of the dissemination of intelligence on People’s Republic of China political foreign interference, 2018-2023, which was submitted to the Prime Minister as NSIRA’s first ever special report, and subsequently tabled in Parliament.
  • Meeting the newly implemented NSIRA Service Standards for the timely investigations of complaints.
  • Successfully hosting, in Ottawa, the annual conference of the Five Eyes Intelligence Oversight and Review Council.
  • Keeping the NSIRA Secretariat facility expansion project on track for successful completion and timely relocation of employees to the new workspace.

Highlights

In 2023-24, total actual spending (including internal services) for NSIRA Secretariat was $14,962,179 and total actual human resources spending was $11,861,196. For complete information on NSIRA Secretariat’s total spending and human resources, read the Spending and human resources section of the full report.

The following provides a summary of the department’s achievements in 2023-24 according to its approved Departmental Results Framework. A Departmental Results Framework consists of a department’s core responsibilities, the results it plans to achieve and the performance indicators that measure progress toward these results.

Core responsibility 1: National Security and Intelligence Reviews and Complaints Investigations

Actual spending: $7,307,710

Actual human resources: 51

Departmental results achieved

Ministers and Canadians are informed whether national security and intelligence activities undertaken by Government of Canada institutions are lawful, reasonable and necessary

NSIRA Secretariat staff supported NSIRA in the completion of 11 national security and intelligence reviews over the course of the 2023-24 fiscal year. A total of 13 Government of Canada organizations were subject to review and eight Ministers, plus the Prime Minister, went on to receive one or more of the NSIRA reports that were approved by members in the 2023-24 fiscal year.

Results achieved  

  • 10 section 34 ministerial reports
  • 12 section 35 compliance reports
  • 1 section 39 report on disclosures under the Security of Canada Information Disclosure Act
  • NSIRA’s first ever section 40 special report to the Prime Minister, which was tabled in Parliament

Two departments were subject to NSIRA review for the first time: TBS and SSC.

In 2023-24, the NSIRA Secretariat advanced its investigative processes, focusing on timeliness, efficiency, and transparency. The number of investigations remained high, with a notable rise in complaints about CSIS delays in security assessments for immigration.

The Secretariat enhanced its investigative fairness and efficiency by implementing new procedures and practices. With the easing of COVID-19 restrictions, NSIRA’s efficiency improved, completing six formal investigations and resolving seven complaints informally.

New service standards were introduced on April 1, 2023, setting internal time limits for investigative steps. NSIRA achieved a 100% success rate in meeting these standards.

Additionally, NSIRA and the CRCC concluded a study on collecting race-based and demographic data to support anti-racism initiatives. This collaboration will continue into 2024-25.

More information about National Security and Intelligence Reviews and Complaints Investigations can be found in the Results – what we achieved section of the full departmental results report.

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Review of the Communications Security Establishment’s Use of the Polygraph for Security Screening: Backgrounder

Review of the Communications Security Establishment’s Use of the Polygraph for Security Screening

Backgrounder

Backgrounder

In 2021, NSIRA began its review of the Communications Security Establishment’s (CSE) use of the polygraph for security screening. This review also explored the Treasury Board Secretariat’s (TBS) role in including the polygraph in the Standard on Security Screening introduced in 2014.

The Government of Canada has used the polygraph as a tool for security screening since the Cold War. When the Canadian Security Intelligence Service (CSIS) started using the polygraph in 1984, its then-review body, the Security Intelligence Review Committee (SIRC), criticized its use in screening the thousands of Canadians CSIS employs. SIRC specifically questioned the science behind the polygraph as a legitimate, effective, and fair means to judge the loyalty of Canadians, as well as the justification for the general application of what is seen as a highly invasive tool.

In 2019, NSIRA completed a review of CSIS’s Internal Security Branch, which included CSIS’s use of the polygraph for security screening. In that review, NSIRA found several shortcomings with the CSIS program, including:

  • Mental health implications and unequal outcomes for subjects undergoing polygraph exams
  • Inappropriate influence of the polygraph in security screening decision-making
  • Unnecessary collection of medical information
  • A lack of any centralized policy rationale from TBS for why Canada should use the tool in the first place

At CSE, NSIRA found many of the same or strikingly similar shortcomings.

NSIRA’s priority in conducting this review was always clear: to evaluate whether the privacy and Charter rights of CSE’s employees and prospective employees were being protected. As this report demonstrates, NSIRA found that in some cases, they were not.

The Government of Canada is responsible for safeguarding its employees, information, and assets. Threats to Canada and Canadians are real. Security screening is the primary way the government determines an individual’s loyalty to Canada before entrusting them with access to sensitive information or facilities required to carry out their duties as public servants.

NSIRA’s review of CSE’s use of the polygraph for security screening is important because it is the first time an independent review body in Canada has assessed such a program with this level of operational detail and scrutiny.

From the outset, NSIRA determined that this review could not be completed without being able to assess the actual conduct of polygraph exams, with appropriate protections in place to protect the anonymity of the individuals submitting to the exam. As demonstrated by this report, access to these recordings was, in fact, fundamental to many of NSIRA’s findings.

This review is also timely as TBS reviews and updates the 2014 Security Screening Standard. The importance of security screening should prompt TBS to undertake a thorough analysis to support which screening tools it promotes and requires while being mindful that security screening does not grant an organization the license to override the fundamental privacy protections granted under Canadian law.

The government now has an opportunity to correct past errors and conduct the fulsome assessment and analysis required to rigorously explore whether using the polygraph for security screening is justified. We trust that the government will consider our findings and recommendations, which may be informative as TBS completes these long-overdue updates.

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Review of the Communications Security Establishment’s Use of the Polygraph for Security Screening: Report

Review of the Communications Security Establishment’s Use of the Polygraph for Security Screening

Report

Table of Contents
  1. HTML Version Coming Soon

Date of Publishing:

HTML Version Coming Soon

Our team is working on an HTML version of this content to enhance usability and compatibility across devices. We aim to make it available in the near future. Thank you for your patience!

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified: