Language selection

Government of Canada / Gouvernement du Canada

Search


CSE’s Governance of Active and Defensive Cyber Operations – Government Responses

Date of Publishing:

Executive Summary

This was NSIRA’s first review of CSE’s governance of Active and Defensive Cyber Operations (ACO/DCOs). The review assessed the governance framework that guides the conduct of ACO/DCOs and whether CSE appropriately considers its legal obligations and the foreign policy impacts of operations.

CSE’s authority to conduct ACO/DCOs was introduced in 2019 through the Communications Security Establishment Act. These powers did not exist prior to the introduction of that legislation and are important new capabilities for the Government of Canada. The current global environment is clarifying the relevance of these capabilities and authorities for Canada. 

 In keeping with its commitment to lawfulness, CSE has worked diligently and methodically to operationalize these new authorities. As CSE continues to develop this capability, it is proceeding cautiously to ensure all activities are carried out in accordance with the CSE Act, and in line with Canada’s international obligations, in particular those highlighted in Canada’s recently published statement on the application of International Law in cyberspace.

CSE acknowledges the crucial role that review bodies play in the national security and intelligence community and CSE welcomes reviews by and recommendations from these review bodies. NSIRA’s recommendations from its review of CSE’s ACO/DCO governance framework will help guide the development of CSE’s capabilities so that CSE can continue to ensure lawfulness as well as effectiveness, efficiency and responsiveness.

As a crucial partner in the ACO/DCO governance framework, NSIRA engaged GAC in this review and made recommendations in relation to both GAC and CSE. CSE and GAC are pleased to provide the following response to NSIRA’s recommendations.


Recommendation no.1:

CSE should more precisely define the classes of activities, associated techniques, and intended target sets to be undertaken for Active and Defensive Cyber Operations as well as their underlying rationale and objectives, both in its Applications and associated Ministerial Authorizations for these activities.

CSE’s response:

CSE agrees with this recommendation.

While CSE agrees with this recommendation, CSE notes that the Minister is always provided with a sufficient amount of information and detail necessary to assess the application and grant an authorization.

CSE agrees that, where operationally appropriate, combining the information contained in briefings and presentations into the written application and authorisation will provide a more comprehensive written record. CSE has begun refining the information included in Active Cyber Operations (ACO) and Defensive Cyber Operations (DCO) applications and authorisations.


Recommendation no.2:

GAC should include a mechanism to assess all relevant foreign policy risk parameters of Active and Defensive Cyber Operations within the associated Ministerial Authorizations.

GAC’s response:

GAC agrees with this recommendation.

GAC already includes a consideration of a wide variety of factors in its Foreign Policy Risk Assessment, as identifiable in the Foreign Policy Risk Assessment template.

CSE has also in the past provided separate operational/technical risk assessments in its mission plans. This has included additional information about the targets and their activities on the GII, the technologies they use, or the complex technical systems CSE develops and deploys to conduct these operations.


Recommendation no.3:

CSE and GAC should establish a framework to consult key stakeholders, such as the National Security and Intelligence Advisor to the Prime Minister and other federal departments whose mandates intersect with proposed Active Cyber Operations to ensure that they align with broader Government of Canada strategic priorities and that the requirements of the CSE Act are satisfied.

Joint CSE and GAC response:

In principle, CSE and GAC agree with this recommendation.

All relevant Government of Canada stakeholders whose mandates may intersect with a planned ACO are consulted. We agree with the importance of ensuring alignment with broad Government of Canada strategic priorities and believe there are a number of avenues already in place through which updates can be shared and consultations can be undertaken with the broader security and intelligence community as and when needed. Examples of this include the Assistant Deputy Minister (ADM) and Deputy Minister (DM) level security and intelligence committee infrastructure (e.g. ADM National Security Operations Committee, DM Operations Committee) and the geographic-specific committee infrastructure. Additionally, there is a community-wide intelligence priority process that provides a framework and guidance for intelligence-related activities such as cyber operations.

We appreciate that as the types of ACOs considered and undertaken broaden, the current model for consulting government departments and agencies may need to evolve. CSE and GAC will work together to evolve an appropriate consultation framework over time as needed.


Recommendation no.4:

CSE and GAC should develop a threshold that discerns between an Active Cyber Operation and a pre-emptive Defensive Cyber Operation, and this threshold should be described to the Minister of National Defence within the applicable Ministerial Authorizations.

Joint CSE and GAC response:

CSE and GAC disagree with this recommendation.

CSE and GAC cannot agree with this recommendation as it refers to an activity (pre-emptive Defensive Cyber Operation) that is not provided for in the Communications Security Establishment Act (CSE Act) and that CSE does not conduct.

Under the DCO aspect of CSE’s mandate in section 18 of the CSE Act, CSE is authorized to carry out activities on or through the global information infrastructure to help protect federal institutions’ electronic information and information infrastructures and electronic information and information infrastructures designated under the CSE Act as being of importance to the Government of Canada (relevant infrastructure). The threat does not need to have compromised the information or infrastructure before a DCO is initiated, but it must present a credible threat to the designated information infrastructure(s). (U) In circumstances where CSE is aware a cyber threat exists but this threat has not manifested as a threat to the designated infrastructure(s), CSE can consider conducting an ACO. CSE can only conduct an ACO if it can satisfy the Minister that any intended activities would degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state or organisation or terrorist group as they relate to international affairs, defence or security.

If NSIRA believes that CSE and GAC need to more clearly define the threshold between an ACO and a DCO, then CSE and GAC also disagree with this recommendation on the basis that the CSE Act clearly sets out the conditions that CSE must satisfy before undertaking cyber security activities, DCOs or ACOs. There is no need for any other threshold to be created.


Recommendation no. 5:

In its applications to the Minister of National Defence, CSE should accurately describe the potential for collection activities to occur under separate authorizations while engaging in Active and Defensive Cyber Operations.

CSE’s response:

CSE agrees with this recommendation.

CSE already accurately describes the potential for collection activities, and the authority for such activities, in its applications to the Minister of National Defence.  CSE has taken steps to ensure that applications for and authorizations of ACOs and DCOs clearly reference the authorizations under which any acquisition of information required to achieve the intended outcome of the ACO or DCO is conducted.

Importantly, CSE is not permitted to acquire information under an ACO or DCO authorization. The acquisition of the information relied on to conduct ACO and DCO activities is authorised under CSE’s foreign intelligence authorization, cybersecurity authorization or an emergency authorization. The use of this information in support of ACO and DCO purposes is outlined in CSE’s foreign intelligence and cybersecurity authorizations. These authorizations are reviewed by the Intelligence Commissioner who assesses the reasonableness and proportionality of the acquisition and use of information for ACO and DCO purposes.


Recommendation no. 6:

CSE should include all pertinent information, including targeting and contextual information, within all operational plans in place for a cyber operation, and in materials it presents to GAC.

CSE’s response:

CSE disagrees with this recommendation.

GAC requires sufficient and pertinent information upon which to base its analysis related to foreign risk and international law. CSE has worked with GAC to share the appropriate level of operational detail that GAC has requested to conduct their work.  This need is reflected in the CSE-GAC Governance Framework whereby GAC is provided with an operation-specific Mission Plan to inform its Foreign Policy Risk Assessment. GAC is satisfied with the information provided by CSE. When GAC has required additional information to conduct its Foreign Policy Risk Assessment or international law assessment, CSE has provided the supplemental information requested.


Recommendation no. 7:

CSE should provide a structured training program to its employees involved in the execution of Active and Defensive Cyber Operations (ACO/DCOs), to ensure that they have the requisite knowledge of CSE’s legal authorities, requirements, and prohibitions, as required by the associated Ministerial Authorizations.

CSE’s response:

CSE agrees with this recommendation.

To supplement the existing mandatory annual training and testing that covers CSE’s legal authorities, requirements and prohibitions, CSE will consider developing a tailored training program for employees involved in the planning and execution of ACOs and DCOs.


Recommendation no. 8:

CSE and GAC should provide an assessment of the international legal regime applicable to the conduct of Active and Defensive Cyber Operations. Additionally, CSE should require that GAC conduct and document a thorough legal assessment of each operation’s compliance with international law.

Joint CSE and GAC response:

CSE and GAC partially agree with this recommendation.

In the time since this review concluded, GAC and CSE have continued to develop the process for assessing the international legal implications of cyber operations, with GAC’s Legal Bureau documenting a thorough legal assessment of each operation’s compliance with international law.

Procedurally, CSE submits a Mission Plan to GAC requesting a Foreign Policy Risk Assessment. Once received, GAC’s Legal Bureau leads a consultation process with Department of Justice (DOJ) counsel from both CSE’s and GAC’s Department of Legal Services (DLS), and in some cases, with DOJ counsel from the Constitutional, Administrative and International Law Section (CAILS), to discuss the international law implications of the planned operation as described in the Mission Plan. (U) These discussions are summarised in a written legal assessment recorded in the Foreign Policy Risk Assessment and are grounded in the international law analysis the GAC Legal Bureau has been developing over many years, including in the Government of Canada’s comments on the draft chapter of Tallinn Manual 2.0 in 2016, the development of the Draft Desk Book coordinated by GAC’s Legal Bureau and produced in August 2019, and the extensive legal analysis done in advance of the original ACO and DCO MAs.

GAC notes that it would be unusual to produce a comprehensive legal assessment of applicable law with respect to a range of potential or hypothetical operations that might be conducted by Canada, its allies and its adversaries in any field, cyber or otherwise. Rather it is GAC’s practice, like that of States generally, to produce legal assessments in relation to specific proposed activities or operations or court cases or other potential disputes.

GAC has consolidated its international legal analysis into a public statement on international law applicable to cyberspace. This public statement was developed and completed through extensive interdepartmental consultations among legal and policy experts, as well as an analysis of other national statements and leading publications and processes, including Tallinn Manual 2.0, the Swiss-led Expert Dialogue on International Law and Cyber, the Dutch-led Hague process, the Swiss-led Informal Consultations on International Humanitarian Law and Cyber Operations, the Oxford Process, and the US Cyber Command annual Legal Conference. Canada has joined like-minded and other nations in producing a public statement, in part to advance ongoing multilateral processes at the United Nations and elsewhere, to further develop common understandings and a broader consensus on how international law applies in cyberspace.


Recommendation no. 9:

CSE and GAC should communicate to one another all relevant information and any new developments relevant to assessing risks associated with a cyber operation, both in the planning phases and during its execution.

Joint CSE and GAC response:

CSE and GAC agree with this recommendation.

In the time since this review concluded, CSE and GAC have increased the frequency of working-level exchanges. Under the GAC-CSE Foreign Cyber Operations Governance Framework, GAC and CSE will bolster the existing points of contact and develop standard operating procedures for CSE and GAC to mutually provide any new information or developments relevant to a cyber operation.

Share this page
Date Modified:

Review of Information Sharing Across Aspects of CSE’s Mandate – CSE Responses

Recommendation CSE Response

NSIRA Recommendation 1: CSE should obtain additional legal advice on its internal sharing of information between the foreign intelligence and cybersecurity aspects of the mandate, explicitly in relation to compliance with the Privacy Act. which thoroughly addresses the following two issues:

  • Whether the internal sharing of information between the foreign intelligence and cybersecurity aspects of the mandate is a use or a disclosure of information for the purposes of the Privacy Act: and
  • Whether uses and disclosures a re done in accordance with sections 7 and 8 of the Privacy Act.
CSE Response: Disagree. CSE does not accept recommendation 1. CSE has already received comprehensive and clear legal advice on this matter from the Department of Justice and has relied on that advice in the conductof its activities (which NSIRA has found lawful).
NSIRA Recommendation 2: All foreign intelligence and cyber security applications from the Chief of CSE should appropriately inform the Minister of National Defence that retained information might be used to support a different aspect. CSE Response:CSE has already implemented the recommended action. CSE notes that it had and continues to inform the Minister a bout the use of information for other aspects of its mandate. Applications for all foreign intelligence and cybersecurity Ministerial Authorizations in 2021-2022 included wording to clearly reflect that information collected under one aspect of CSE’s mandate could be used to support a different aspect.

Share this page
Date Modified:

Review of Air Passenger Targeting by the Canada Border Services Agency (CBSA) – Government responses

NSIRA Recommendation 1: NSIRA recommends that the CBSA document its triaging practices in a manner that enables effective verification of whether all triaging decisions comply with statutory and regulatory restrictions.

GOC Response: The CBSA agrees with this recommendation. The CBSA will complete a review of its APT triaging practices to ensure practices are in place which will enable effective verification of compliance with statutory and regulatory restrictions.

NSIRA Recommendation 2: NSIRA recommends that the CBSA ensure, in an ongoing manner, that its triaging practices are based on information and/or intelligence that justifies the use of each indicator. This justification should be well-documented to enable effective internal and external verification of whether the CBSA’s triaging practices comply with its non-discrimination obligations.

GOC Response: The CBSA agrees with this recommendation. While we are satisfied that justification for triaging and targeting practices exist, the CBSA acknowledges that better documentation practices could be implemented to enable effective internal and external verification of whether the CBSA’s triaging practices comply with its non-discrimination obligations. The CBSA’s Scenario Based Targeting Governance Framework will be updated to include information and/or intelligence that justifies the use of each indicator. Annual reviews of scenarios will continue to be conducted and documented to confirm that each active scenario is supported by recent and reliable intelligence.

NSIRA Recommendation 3: NSIRA recommends that the CBSA ensure that any Air Passenger Targeting related distinctions on protected grounds that are capable of reinforcing, perpetuating, or exacerbating a disadvantage constitute a reasonable limit on travellers’ equality rights under the Charter.

GOC Response: The CBSA agrees with this recommendation. The CBSA will review its APT practices to ensure that distinctions based on protected grounds are reasonable and can be demonstrably justified in the border administration and enforcement context.

NSIRA Recommendation 4: NSIRA recommends that the CBSA develop more robust and regular oversight for Air Passenger Targeting to ensure that its practices are not discriminatory. This should include updates to the CBSA’s policies, procedures, training, and other guidance, as appropriate.

GOC Response: The CBSA agrees with this recommendation. The CBSA acknowledges that policies, procedures, training, and other guidance, as appropriate can be improved to ensure robust and regular oversight for Air Passenger Targeting to ensure that its practices are not discriminatory. The CBSA will complete a review of its policies, procedures, guidelines and training to ensure practices are not discriminatory.

NSIRA Recommendation 5: NSIRA recommends that the CBSA start gathering and assessing the necessary data to identify, analyze, and mitigate discrimination-related risks. This includes disaggregated demographic data, data on the effects of Air Passenger Targeting on secondary examinations that may be apparent from related human rights complaints, and data on a baseline comparator group.

GOC Response: The CBSA agrees with this recommendation. To that end, the CBSA is taking deliberate steps to develop its capacity to capture and analyze reliable and accurate data in non-intrusive ways. The Agency is working on developing standard and consistent positions and frameworks on the collection, use, management and governance of disaggregated data, developing  metrics and indicators to measure the impact of decisions and policies on different groups; using data to build more inclusive and representative policies and strategies, and; identifying possible discrimination and bias.

Share this page
Date Modified:

Review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act in 2022 – Government Responses

Responses

Review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act in 2022 – Government Responses


Government of Canada Response to the Recommendations of the NSIRA Review of Federal Institutions’ Disclosures of Information under the Security of Canada Information Disclosure Act (“SCIDA”) in 2022

NSIRA Recommendation Related Findings(s) Government Response Explanation
1. NSIRA recommends that information sharing arrangements be used to govern regular SCIDA disclosures between GAC and CSIS; IRCC and CSIS; as well as IRCC and CSE. Finding no. 1: CSE, CSIS, GAC, and IRCC regularly use the SCIDA in a manner that warrants information sharing arrangements, as encouraged by subsection 4(c) of the SCIDA. Agree The Government of Canada recognizes the value of using information sharing arrangements to facilitate the effective and responsible sharing of information between federal institutions that frequently disclose information of a similar nature under the SCIDA. In response to this recommendation, and in consultation with the designated recipient institutions under the SCIDA, Public Safety Canada has developed an information sharing agreement template.

The template has been reviewed by the Office of the Privacy Commissioner of Canada and specifically assessed against the SCIDA, the Privacy Act, the 10 fair information principles of the Canadian Standards Association Model Code for the Protection of Personal Information (the Model Code), applicable Treasury Board of Canada Secretariat (TBS) policies, directives and guidelines, and internationally recognized best practices.

Public Safety Canada has disseminated this template to federal institutions, including those named in NSIRA’s findings and recommendations, so that they may adapt it to their unique operating environments and the types of information that they frequently disclose and receive, while continuing to respect the Charter, the Privacy Act, the SCIDA, as well as other relevant policies, legislation and regulation.

In addition, several departments and agencies have already entered into information sharing agreements to facilitate the disclosure of information under the SCIDA. For example, CSIS and GAC entered into an information sharing agreement in 2016 under the SCISA (the precursor to the SCIDA). The agreement outlines the types of information that GAC may share with CSIS. While it is still in effect, it is currently being reviewed to ensure the scope remains current. CSIS and IRCC are currently holding preliminary discussions to establish an information sharing agreement to address disclosures under SCIDA. IRCC and CSE also recently signed an information sharing agreement, as recommended in the 2020 SCIDA Annual Report.

2. NSIRA recommends that all GC institutions prepare record overviews to clearly address the requirements of subsections 9(1) and 9(2) of the SCIDA; and provide them to NSIRA along with a copy of the disclosure itself and, where relevant, a copy of the request.
Finding no. 2: CBSA, DND/CAF, and IRCC were non-compliant with subsection 9(3) of the SCIDA, as they failed to provide all records created under subsections 9(1) or 9(2) to NSIRA within the legislated timeframe.

Finding no. 3: Improved compliance outcomes in instances where departments prepared record overview spreadsheets under subsections 9(1) and 9(2) of the SCIDA that displayed the following characteristics:

  • a row for each disclosure made or received;
  • columns explicitly tied to each individual paragraph under section 9; and
  • additional columns to capture relevant administrative details, such as whether the disclosure was requested or proactive; the date of the request (if applicable); and any applicable file reference numbers.
Agree The Government of Canada recognizes the importance of keeping records of SCIDA disclosures and receipts, as required under the Act.

Public Safety Canada assists partners in adopting best practices that facilitate ease-of-review and improve compliance. Government of Canada partners implement Public Safety Canada’s guidance in a manner that complies with the SCIDA and works best with their unique mandates and internal procedures.

In March 2023, the Step-by-Step SCIDA Guide 2022 (“SCIDA Guide 2022”) was updated and published on Public Safety Canada’s public-facing webpage. The SCIDA Guide 2022 includes templates that support federal institutions with their record-keeping requirements. Public Safety Canada will continue to review and update existing SCIDA resources, including advice pertaining to record keeping. Public Safety Canada has also circulated a record overview template that NSIRA found particularly effective during the course of its 2022 review.

In addition, CSIS has developed clear policy and subsequent guidelines on how to handle and document information disclosures in line with the SCIDA, including a requirement to maintain a record overview along with an associated template. This template has been adjusted for clarity based on feedback from NSIRA’s 2022 review. The CBSA and IRCC have also reviewed their current operational and reporting practices with regards to SCIDA and are making the necessary functional adjustments to ensure that they remain compliant in future information sharing activities.

3. NSIRA recommends that disclosing institutions explicitly address the requirements of both paragraphs 5(1)(a) and 5(1)(b) in the records that they prepare under paragraph 9(1)(e) of the SCIDA.
Finding no. 5: More than half of the descriptions provided by CBSA and IRCC under paragraph 9(1)(e) of the SCIDA did not explicitly address their satisfaction that the disclosure was authorized under paragraph 5(1)(b), the proportionality test.

Finding no. 6: within the sample of disclosures reviewed, that disclosing institutions demonstrated they had satisfied themselves of both the contribution and proportionality tests, in compliance with subsection 5(1) of the SCIDA.

Agree The Government of Canada recognizes the importance of the SCIDA’s contribution and proportionality tests in 5(1)(a) and 5(1)(b), respectively. It also recognizes the need for disclosing institutions to demonstrate their satisfaction that these two tests are met for each disclosure by providing NSIRA with a description of the information that was relied on to satisfy themselves that the disclosure was authorized under the SCIDA.

Through the publication of the SCIDA Guide 2022 and the delivery of training sessions, Public Safety Canada has provided guidance to federal institutions on ensuring that the contribution and proportionality thresholds are met when disclosing information under the SCIDA.

Recently, IRCC has added a new “Proportionality” section to their SCIDA template to require that the delegated official documents their satisfaction that the disclosure is authorized under paragraph 5(1)(b) before disclosing personal information to a recipient institution.

In addition to disclosing institutions having to satisfy the contribution and proportionality tests, CSIS independently assesses its authority to collect and retain the disclosure under the CSIS Act as a recipient institution. This includes an obligation for CSIS to ensure that the collection and retention of a SCIDA disclosure is compliant with all relevant legislation, including the Avoiding Complicity in Mistreatment by Foreign Entities Act. The SCIDA procedure published in 2022 includes direction on processing disclosures that do not meet CSIS’ threshold for collection, ensuring that the disclosure is appropriately documented and destroyed.

4. NSIRA recommends that GC institutions contemplating the use of proactive disclosures under the SCIDA communicate with the recipient institution, ahead of making the disclosure, to inform their assessments under subsection 5(1). Finding no. 7: GAC satisfied itself under the SCIDA’s paragraph 5(1)(a) contribution test based on an incorrect understanding of the recipient’s national security mandate in two cases. Agree The Government of Canada recognizes the value of general informal discussions ahead of SCIDA disclosures.

The SCIDA Guide 2022 emphasizes the importance of preliminary, high-level consultations between disclosing and recipient institutions prior to a disclosure in a manner that does not itself constitute a disclosure. The guidance specifies that informal communication should only include enough general information to ensure that the SCIDA contribution and proportionality thresholds are met before making a disclosure.

Annex F of the SCIDA Guide 2022 outlines the national security mandates of the designated recipient institutions under SCIDA. Public Safety Canada endeavours to keep the mandates updated to aid disclosing institutions in making their assessment required under subsection 5(1).

5. NSIRA recommends that all disclosing institutions include statements regarding accuracy and reliability within the same document as the disclosed information.
Finding no. 8: Within the sample of disclosures reviewed, that CBSA and GAC (in one and two disclosures, respectively) were non-compliant with the SCIDA’s subsection 5(2) requirement to provide a statement regarding accuracy and reliability.

Finding no. 9: In relation to the remaining disclosures within the sample, that GAC, IRCC, and RCMP included their statements regarding accuracy and reliability within the disclosures themselves, whereas CBSA provided its statement in the disclosures’ cover letters.

Agree The Government of Canada notes that providing statements on the accuracy and reliability of the manner in which information was obtained in a cover letter or in the disclosure itself both satisfy the legislated requirement under subsection 5(2) for disclosing institutions to provide such a statement.

The Government of Canada recognizes the additional value of including the statements in the actual disclosure, especially in the event of onward disclosure. Public Safety Canada will update its guidance to reflect this best practice.

6. NSIRA recommends that GC institutions review their administrative processes for sending and receiving disclosures under the SCIDA, and correct practices that cause delays.
Finding no. 10: DND/CAF destroyed information under the SCIDA subsection 5.1(1), but they were non-compliant with the requirement to do so “as soon as feasible after receiving it.”

Finding no. 11: Delays between when a disclosure was authorized for sending and when it was received by the individual designated by the head of the recipient institution to receive it in at least 20% (n=34) of disclosures.

Agree The Government of Canada recognizes the need to destroy unnecessary information as soon as feasible under the SCIDA, as well as the value of timely disclosures.

Government of Canada institutions each have their own systems, standards and procedures for physically and/or electronically sending and receiving information. Departments and agencies will work to review their own processes to ensure information is handled efficiently and appropriately in compliance with the SCIDA and other legislation.

Share this page
Date Modified:

Review of the Canadian Security Intelligence Service’s (CSIS) use of Geolocation information – CSIS responses

Geolocation Data Tool (SIRC 2018-05)

NSIRA Recommendation: NSIRA recommends that CSIS review its use of [the geolocation tool] to date and make a determination as to which of the operational reports generated through the use of [the geolocation tool] were in breach of section 8 of the Charter. These operational reports and/or any documents related to those results should be purged from its systems.

CSIS Response: CSIS has received advice from the Department of Justice on its use of a geolocation data tool in Canada and the disposition of information derived from its use. CSIS is working to implement this advice to ensure compliance with the Charter, CSIS Act and other legal obligations.

More broadly, CSIS recognizes that keeping pace with the global threat environment and rapid technological change necessitates continuous reflection to ensure that we have the tools, authorities required of a modern intelligence agency; CSIS must be fully equipped to protect Canada’s national security. Canadians expect CSIS to leverage technology to keep them safe in a manner that is entirely in keeping with the Canadian expectation of privacy.

NSIRA Recommendation: NSIRA recommends that policy be developed or amended as appropriate that would require a documented risk assessment, including legal risks, in situations like [the geolocation tool] when information collected through new and emerging technologies may contain information in respect of which there may be a reasonable expectation of privacy. If not, NSIRA further recommends that a policy centre for this type of collection be clearly identified.

CSIS Response: CSIS is modifying its policy framework to address this recommendation. This aligns with the most recent Ministerial Direction on Accountability from September 2019. The MD requires CSIS to notify the Minister of Public Safety when a novel technology is used.

Share this page
Date Modified:

Review of the Canadian Security Intelligence Service’s (CSIS) Internal Security Branch – CSIS responses

CSIS Internal Security (SIRC 2018-15)

NSIRA Recommendation: CSIS develop an internal policy, in consultation with Treasury Board Secretariat (TBS), outlining parameters on reporting information obtained during the course of IS screening, inquiries, and investigations to law enforcement in a timely manner.

CSIS Response: CSIS has established an internal set of procedures for disclosing information obtained during the course of Internal Security screening to law enforcement, as required. CSIS will continue to review these procedures and will continue to seek legal advice from the Department of Justice regarding these disclosures, as required. CSIS and the Department of Justice have a collaborative relationship that fosters discussion and allows for robust engagement in these matters.

NSIRA Recommendation: CSIS strengthen internal governance over polygraph activities, including modifying the methodology for conducting polygraph assessments, as appropriate.

CSIS Response: CSIS considers the findings and observations in this review as an opportunity to enhance its internal processes. As such, CSIS is working to address this recommendation by strengthening internal governance. New policy and procedures will provide clarity, accountability and transparency to its polygraph program by outlining roles and the ethical and procedural responsibilities of polygraph examiners.

NSIRA Recommendation: CSIS update applicable policy and procedures on the use of the polygraph to address security and procedural fairness implications stemming from failed polygraph results.

CSIS Response: CSIS values the important work done by the National Security and Intelligence Review Agency (NSIRA). To address gaps identified by NSIRA, CSIS is currently updating the polygraph policy and procedures to ensure an enhanced degree of transparency and procedural fairness.

NSIRA Recommendation: IS further align its overarching policy suite with the assessment criteria for adverse information outlined in the Standard on Security Screening, as well as update the its Questionnaire Guidebook with clear definitions and risk indicators.

CSIS Response: CSIS continually engages in the process of updating its guides, procedures and policies. CSIS will ensure that procedures are well aligned with the Treasury Board Secretariat’s Standard on Security Screening. Providing consistency in assessments between cases remains a priority.

Share this page
Date Modified:

Review of the CSIS-RCMP relationship in a region of Canada through the lens of an ongoing investigation – NSIRA recommendations and CSIS-RCMP responses

Responses

Review of the CSIS-RCMP relationship in a region of Canada through the lens of an ongoing investigation – NSIRA recommendations and CSIS-RCMP responses


CSIS-RCMP relationship in a region of Canada through the lens of an ongoing investigation (NSIRA 2019-04)

NSIRA Recommendation: CSIS invest the resources needed to develop a broader range of sources of information in order to prevent further serious damage to the reviewed investigation.

CSIS-RCMP Response: Due to the variety of factors inherent in each investigation, CSIS always considers how best to collect information and mitigate threats, drawing on a number of tools and resources – in accordance with the CSIS Act and ministerial direction – dependent on the situation.

NSIRA Recommendation: CSIS and the RCMP prioritize the deployment of usable and compatible secure communications systems in order to make regional de-confliction more efficient.

CSIS-RCMP Response: CSIS and the RCMP are prioritizing the deployment of compatible secure communication. The CSIS Director and the RCMP Commissioner approved the development of a CSISRCMP Secure Communications Strategy, the implementation of which is already underway.

NSIRA Recommendation: CSIS and the RCMP continue to prioritize the timely implementation of recommendations from the Operational Improvement Review (OIR) in order to help address the operational shortcomings reported by the OIR and further illustrated in this review.

CSIS-RCMP Response: CSIS and the RCMP remain committed to implementing the OIR recommendations as well as the implementation of One Vision 3.0.

The OIR resulted in 76 recommendations, some of which include enhanced collaboration and information sharing in national security investigations, additional training for national security personnel, as well as the improved handling and disclosure of sensitive and classified information. Significant effort has been undertaken to ensure recommendations are adopted and implemented within both organisations. Some of the early successes include pilot projects such as the Leads Pilot that has resulted in enhanced CSISRCMP de-confliction within national security areas of focus.

The RCMP and CSIS continue to be fully supportive of implementing these needed changes to our organisations. This work, and efforts of the broader community, will ensure that the Government of Canada has a strong foundation of enhanced collaboration and the best tools available to mitigate threats and ensure public safety. This complex work however, is ongoing and challenges remain, particularly as it relates to the issue of intelligence and evidence. These significant challenges will require a whole-ofgovernment approach in order to address.

NSIRA Recommendation: CSIS and the RCMP develop a properly resourced complimentary strategy to address the threat examined in this report. In accordance with the vision set out in the Operational Improvement Review, the strategy should consider the full range of tools available to both agencies.

CSIS-RCMP Response: CSIS and the RCMP coordinate and collaborate on national security threats and use strategies and resources best suited to individual operations.

As a result of the OIR, discussions between CSIS and the RCMP are more frequent and occur earlier in the process which has reduced the duplication of efforts between both of our agencies

Share this page
Date Modified:

Review of CSIS threat reduction activities – NSIRA recommendations and CSIS responses

CSIS Threat Reductions Activities (NSIRA)

NSIRA Recommendation: CSIS create an accountability framework for information related to TRMs, and that this information be documented and retained in a central, easily retrievable location.

CSIS Response: CSIS’s robust governance framework for its TRM authorities has been the subject of review by both SIRC and NSIRA. As a result of these reviews, considerable adjustments have been made to the governance of TRMs.

CSIS is developing an improved organisational case management tool. While that work occurs, CSIS is implementing interim measures to respond to NSIRA’s recommendations. Finally, CSIS is leveraging additional communication methods to ensure awareness of the TRM specific requirements.

NSIRA Recommendation: CSIS create a formalized and documented process that ensures pertinent facts regarding TRM subjects are provided to the National Security Litigation and Advisory Group (NSLAG) to ensure that it has the information necessary to provide considered legal advice on the identification and selection of interviewees for inclusion in TRMs.

CSIS Response: CSIS and the Department of Justice have a collaborative relationship that fosters discussion and allows for continuous engagement. When parliament established CSIS’s threat reduction mandate, CSIS worked closely with the Department of Justice to develop an appropriate and robust governance framework. This framework includes a formal and documented process to seek a legal risk assessment as well as practical guidance regarding relevant information and level of detail required for TRM submissions.

CSIS engages the Department of Justice to ensure all requirements of the CSIS Act are met including consideration that measures are reasonable and proportional to the threat and warrants are obtained if required. CSIS ensures this guidance is applied so that TRMs remain lawful and respect all Canadian laws, including Charter rights and freedoms.

NSIRA Recommendation: CSIS develop an accountability framework for compliance with legal advice on TRMs, including documenting when and why legal advice was not followed.

CSIS Response: CSIS’s compliance framework provides an opportunity to report instances of potential non-compliance with Ministerial Direction, internal policies or procedures, and the law. In instances where this may occur, CSIS’s Compliance program remains well situated to complete requisite fact finding and engage with the Department of Justice.

The Department of Justice provides advice to ensure TRMs remain lawful and respect the right of Canadians. CSIS diligently applies these principles and guidance from the Department of Justice in the execution of all TRMs. While advice from the Department of Justice does not provide explicit and tactical directions on the execution of TRMs, CSIS considers all Justice advice during its operational deliberations.

NSIRA Recommendation: When considering whether a Charter right is limited by a proposed TRM, NSLAG should undertake a case-by-case analysis that assesses factors identified in our report.

CSIS Response: The Department of Justice will further consider this recommendation and factor it into its work related to TRM under the CSIS Act. CSIS and the Department of Justice will continue to build their long-established and collaborative relationship in order to improve and refine the governance of TRMs.

Share this page
Date Modified:

Review of the Communications Security Establishment’s Disclosures of Canadian Identifying Information – CSE responses

Responses

Review of the Communications Security Establishment’s Disclosures of Canadian Identifying Information – CSE responses


CSE Management Response to NSIRA Review of 2018-2019 Disclosures of Canadian Identifying Information

NSIRA delivered its classified review to the Minister of National Defence in November 2020.

Throughout NSIRA’s review of CSE’s disclosure process, CSE responded to NSIRA requests in a timely manner and offered to provide additional context and briefings to NSIRA regarding CSE processes.

Importance of independent external review

CSE values independent, external review of our activities, and we remain committed to a positive and ongoing dialogue with NSIRA and other review and oversight bodies.

This oversight frameworks allows us to deliver our important mission of foreign intelligence, cyber security and foreign cyber operations in a way that demonstrates accountability, and that builds trust and confidence with Canadians.

CSE operates within a culture of compliance, grounded in our understanding of and commitment to our legal and policy regime, and evidenced by our record of self-reporting and addressing incidents and errors that may occur.

We appreciate NSIRA and their continued work to provide Canadians with greater insight and understanding of the important work that CSE does on a regular basis to keep Canadians safe.

We accept the recommendations aimed at improving our processes, yet are concerned that the overall conclusions do not fully appreciate CSE’s commitment to, and work on protection of privacy.

Canadian Identifying Information and CSE’s Commitment to Privacy

CSE is Canada’s national lead for foreign signals intelligence and cyber operations, and the national technical authority for cybersecurity. We provide critical foreign intelligence and cyber defence services for the Government of Canada (GC). Protecting Canadian information and the privacy of Canadians is an essential part of our mission.

CSE does not direct its foreign signals intelligence activities at Canadians or anyone in Canada. The CSE Act, however, recognizes that incidental collection of Canadian communications or Canadian information may occur even when targeting only foreign entities outside Canada. CSE takes very seriously our responsibility to protect Canadian privacy interests that may occur as a result of this incidental collection.

In the event that Canadian information is incidentally acquired in foreign signals intelligence collection, CSE may include obfuscated references to Canadian individuals or organizations in intelligence reporting if those references are essential to understand the foreign intelligence.

The obfuscation of this Canadian Identifying Information (CII) in reporting represents one of many layered privacy measures that are applied at different points in CSE’s end-to-end intelligence process. These include, among others, legal and policy training and on-site support for intelligence analysts, mandatory annual privacy tests for all operational employees, data tagging and auto-deletion, strict retention limits, specific handling guidelines, escalating approvals for reporting that includes CII, compliance spot checks, and separate vetting processes for disclosing obfuscated information and taking action on intelligence reporting.

Pursuant to the Privacy Act, government clients who receive CSE foreign intelligence reports may ask for obfuscated CII to be “disclosed” to them if that information relates directly to their department’s operating program or activities. Any disclosed CII is provided solely to inform their understanding of the foreign intelligence presented in the report. Government officials may not take action, share or otherwise use the CII disclosed to them under the disclosure process.

CSE continually refines its CII disclosure process. For example, to help support audit and review, CSE implemented a requirement for government clients to provide an operational justification to support their CII disclosure requests. It is important to note, however, that this is a matter of internal policy and that the Privacy Act does not require the documentation of legal authorities before information can be collected and disclosed.

Review Recommendations

CSE is committed to continuous improvement. We know that the recommendations from independent external review play an important role in that improvement. CSE has 25 years of experience working with the Office of the CSE Commissioner and now NSIRA to help improve our processes. We thank these review bodies for their work to help build trust and confidence with Canadians.

CSE continuously refines our privacy-protection measures, including those associated with the disclosure process. Improvements made over the past decade have been informed by the recommendations made by the CSE Commissioner as part of his annual reviews of CSE’s CII disclosures. Prior to NSIRA taking over review duties, CSE had accepted and implemented 95% of the recommendations made by the CSE Commissioner. Those not adopted were duplicative or overtaken by events such as new legislation. In his final 2018-2019 review, the Commissioner confirmed that CSE’s disclosures of CII complied with the law and were done in accordance with ministerial direction.

In this NSIRA review, as with previous CSE Commissioner reviews, we appreciate and have accepted the recommendations aimed at improving our internal policies and practices.

Given the overlap in this review period between the two bodies, certain NSIRA recommendations duplicate some presented in the CSE Commissioner’s reviews. As a result, we are pleased to note that many have already been implemented at this time; other NSIRA recommendations are in the process of being implemented.

Review Findings

Throughout this CII disclosure review, CSE provided extensive feedback and context to NSIRA, and sought clarification regarding the assessment criteria used to determine adequacy or inadequacy of specific records, the vast majority of which were deemed adequate by NSIRA. Without explaining the methodology used to support the findings, we are concerned that broad generalizations based on specific aspects of certain records within a single privacy measure may leave the reader with an incorrect impression about CSE’s overall commitment to privacy protections for Canadians.

CSE’s case-by-case process for disclosing CII to authorized GC recipients is part of robust and comprehensive internal measures that protect Canadians’ privacy. We balance the sharing of our intelligence with the privacy and safety of Canadians at all times. CSE disclosure analysts receive training and follow internal policies, guidelines and standard operating procedures to guide decision making.

While committed to implementing the recommended process improvements contained in the report, CSE remains concerned by NSIRA’s overall conclusions and characterization of the disclosure process and its role in the broader privacy framework, which we have expressed to NSIRA.

Referral to Attorney General of Canada

The Minister of National Defence submitted NSIRA’s classified report to the Attorney General of Canada in January 2021, supported by a comprehensive analysis of each record identified by NSIRA in its review.

The analysis supports the view that our activities, including applying protections for the privacy of Canadians, were conducted within a robust system of accountability, including compliance with the Privacy Act.

Additional Information

Top Secret-cleared and special intelligence-indoctrinated GC clients received thousands of foreign intelligence reports via CSE’s mandate under the CSE Act. These reports corresponded to Cabinet-approved intelligence priorities and were delivered to government clients who had both the authority to receive them and the ‘need to know’ their contents.

These reports reflect a wide range of intelligence requirements, from support to Canadian military operations, espionage, terrorism and kidnappings to geostrategic concerns, cyber threats, foreign interference and global crises, among others. While only a very small percentage of these reports contain obfuscated CII, the underlying Canadian information is often essential for GC officials to understand the context of the threat and its Canadian nexus.

Share this page
Date Modified: