Backgrounder
The Government of Canada faces threats from a broad spectrum of malicious cyber actors—from cybercriminals to sophisticated foreign states—making cybersecurity a top national security priority. Protecting federal systems against these threats is a responsibility of the Communications Security Establishment (CSE), Canada’s lead agency for cybersecurity.
Within CSE, the Canadian Centre for Cyber Security leads efforts to prevent, detect, and respond to cyber threats targeting government systems and infrastructure. In 2019, the Communications Security Establishment Act granted CSE broader powers to strengthen Canada’s cybersecurity posture, including enhanced authorities related to cybersecurity and information assurance (CSIA).
Because CSE’s work involves collecting and analyzing large volumes of digital information—which may incidentally involve Canadians or individuals located in Canada—robust review is essential to ensure these activities remain lawful, and reasonable; in particular, respectful of privacy rights.
In this context, NSIRA undertook its first dedicated review of CSE’s CSIA activities. The review closely examined one of CSE’s key cybersecurity solutions, assessed its broader cyber defence operations, and evaluated how these efforts are coordinated with Shared Services Canada (SSC), who manages much of the federal government’s IT infrastructure.
To identify and prevent cyber threats, CSE acquires and analyzes vast amounts of information. These activities can be highly intrusive and engage significant privacy interests of Canadians, including those who interact with the Government of Canada. NSIRA’s review placed particular emphasis on how information that could impact Canadian privacy interests is managed.
The review concluded that CSE makes critical contributions to securing the Government of Canada’s networks and incorporates measures designed to protect the privacy of Canadians and other persons in Canada. However, NSIRA identified two important areas for improvement.
First, the review found that CSE’s reporting to the Minister of National Defence—the minister responsible for overseeing CSE—lacked sufficient clarity and detail. This gap could hinder the Minister’s ability to make fully informed decisions about CSE’s cybersecurity activities.
Second, NSIRA observed that, in limited cases, CSE’s collection of information from external sources may have implicated the privacy rights of Canadians.
To address these issues, NSIRA issued seven recommendations aimed at enhancing transparency in CSE’s communications with the Minister and strengthening procedures for assessing and managing data that may affect privacy interests.
These findings underscore the vital importance of rigorous, independent review in national security matters. As cyber threats continue to evolve in scale and sophistication, Canada must ensure that its digital defences remain not only effective but also accountable and consistent with Canadian values. NSIRA’s review plays a crucial role in maintaining this balance—ensuring that security and privacy go hand in hand.