Date of Publishing:
Executive Summary
This was NSIRA’s first review of CSE’s governance of Active and Defensive Cyber Operations (ACO/DCOs). The review assessed the governance framework that guides the conduct of ACO/DCOs and whether CSE appropriately considers its legal obligations and the foreign policy impacts of operations.
CSE’s authority to conduct ACO/DCOs was introduced in 2019 through the Communications Security Establishment Act. These powers did not exist prior to the introduction of that legislation and are important new capabilities for the Government of Canada. The current global environment is clarifying the relevance of these capabilities and authorities for Canada.
In keeping with its commitment to lawfulness, CSE has worked diligently and methodically to operationalize these new authorities. As CSE continues to develop this capability, it is proceeding cautiously to ensure all activities are carried out in accordance with the CSE Act, and in line with Canada’s international obligations, in particular those highlighted in Canada’s recently published statement on the application of International Law in cyberspace.
CSE acknowledges the crucial role that review bodies play in the national security and intelligence community and CSE welcomes reviews by and recommendations from these review bodies. NSIRA’s recommendations from its review of CSE’s ACO/DCO governance framework will help guide the development of CSE’s capabilities so that CSE can continue to ensure lawfulness as well as effectiveness, efficiency and responsiveness.
As a crucial partner in the ACO/DCO governance framework, NSIRA engaged GAC in this review and made recommendations in relation to both GAC and CSE. CSE and GAC are pleased to provide the following response to NSIRA’s recommendations.
Recommendation no.1:
CSE should more precisely define the classes of activities, associated techniques, and intended target sets to be undertaken for Active and Defensive Cyber Operations as well as their underlying rationale and objectives, both in its Applications and associated Ministerial Authorizations for these activities.
CSE’s response:
CSE agrees with this recommendation.
While CSE agrees with this recommendation, CSE notes that the Minister is always provided with a sufficient amount of information and detail necessary to assess the application and grant an authorization.
CSE agrees that, where operationally appropriate, combining the information contained in briefings and presentations into the written application and authorisation will provide a more comprehensive written record. CSE has begun refining the information included in Active Cyber Operations (ACO) and Defensive Cyber Operations (DCO) applications and authorisations.
Recommendation no.2:
GAC should include a mechanism to assess all relevant foreign policy risk parameters of Active and Defensive Cyber Operations within the associated Ministerial Authorizations.
GAC’s response:
GAC agrees with this recommendation.
GAC already includes a consideration of a wide variety of factors in its Foreign Policy Risk Assessment, as identifiable in the Foreign Policy Risk Assessment template.
CSE has also in the past provided separate operational/technical risk assessments in its mission plans. This has included additional information about the targets and their activities on the GII, the technologies they use, or the complex technical systems CSE develops and deploys to conduct these operations.
Recommendation no.3:
CSE and GAC should establish a framework to consult key stakeholders, such as the National Security and Intelligence Advisor to the Prime Minister and other federal departments whose mandates intersect with proposed Active Cyber Operations to ensure that they align with broader Government of Canada strategic priorities and that the requirements of the CSE Act are satisfied.
Joint CSE and GAC response:
In principle, CSE and GAC agree with this recommendation.
All relevant Government of Canada stakeholders whose mandates may intersect with a planned ACO are consulted. We agree with the importance of ensuring alignment with broad Government of Canada strategic priorities and believe there are a number of avenues already in place through which updates can be shared and consultations can be undertaken with the broader security and intelligence community as and when needed. Examples of this include the Assistant Deputy Minister (ADM) and Deputy Minister (DM) level security and intelligence committee infrastructure (e.g. ADM National Security Operations Committee, DM Operations Committee) and the geographic-specific committee infrastructure. Additionally, there is a community-wide intelligence priority process that provides a framework and guidance for intelligence-related activities such as cyber operations.
We appreciate that as the types of ACOs considered and undertaken broaden, the current model for consulting government departments and agencies may need to evolve. CSE and GAC will work together to evolve an appropriate consultation framework over time as needed.
Recommendation no.4:
CSE and GAC should develop a threshold that discerns between an Active Cyber Operation and a pre-emptive Defensive Cyber Operation, and this threshold should be described to the Minister of National Defence within the applicable Ministerial Authorizations.
Joint CSE and GAC response:
CSE and GAC disagree with this recommendation.
CSE and GAC cannot agree with this recommendation as it refers to an activity (pre-emptive Defensive Cyber Operation) that is not provided for in the Communications Security Establishment Act (CSE Act) and that CSE does not conduct.
Under the DCO aspect of CSE’s mandate in section 18 of the CSE Act, CSE is authorized to carry out activities on or through the global information infrastructure to help protect federal institutions’ electronic information and information infrastructures and electronic information and information infrastructures designated under the CSE Act as being of importance to the Government of Canada (relevant infrastructure). The threat does not need to have compromised the information or infrastructure before a DCO is initiated, but it must present a credible threat to the designated information infrastructure(s). (U) In circumstances where CSE is aware a cyber threat exists but this threat has not manifested as a threat to the designated infrastructure(s), CSE can consider conducting an ACO. CSE can only conduct an ACO if it can satisfy the Minister that any intended activities would degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state or organisation or terrorist group as they relate to international affairs, defence or security.
If NSIRA believes that CSE and GAC need to more clearly define the threshold between an ACO and a DCO, then CSE and GAC also disagree with this recommendation on the basis that the CSE Act clearly sets out the conditions that CSE must satisfy before undertaking cyber security activities, DCOs or ACOs. There is no need for any other threshold to be created.
Recommendation no. 5:
In its applications to the Minister of National Defence, CSE should accurately describe the potential for collection activities to occur under separate authorizations while engaging in Active and Defensive Cyber Operations.
CSE’s response:
CSE agrees with this recommendation.
CSE already accurately describes the potential for collection activities, and the authority for such activities, in its applications to the Minister of National Defence. CSE has taken steps to ensure that applications for and authorizations of ACOs and DCOs clearly reference the authorizations under which any acquisition of information required to achieve the intended outcome of the ACO or DCO is conducted.
Importantly, CSE is not permitted to acquire information under an ACO or DCO authorization. The acquisition of the information relied on to conduct ACO and DCO activities is authorised under CSE’s foreign intelligence authorization, cybersecurity authorization or an emergency authorization. The use of this information in support of ACO and DCO purposes is outlined in CSE’s foreign intelligence and cybersecurity authorizations. These authorizations are reviewed by the Intelligence Commissioner who assesses the reasonableness and proportionality of the acquisition and use of information for ACO and DCO purposes.
Recommendation no. 6:
CSE should include all pertinent information, including targeting and contextual information, within all operational plans in place for a cyber operation, and in materials it presents to GAC.
CSE’s response:
CSE disagrees with this recommendation.
GAC requires sufficient and pertinent information upon which to base its analysis related to foreign risk and international law. CSE has worked with GAC to share the appropriate level of operational detail that GAC has requested to conduct their work. This need is reflected in the CSE-GAC Governance Framework whereby GAC is provided with an operation-specific Mission Plan to inform its Foreign Policy Risk Assessment. GAC is satisfied with the information provided by CSE. When GAC has required additional information to conduct its Foreign Policy Risk Assessment or international law assessment, CSE has provided the supplemental information requested.
Recommendation no. 7:
CSE should provide a structured training program to its employees involved in the execution of Active and Defensive Cyber Operations (ACO/DCOs), to ensure that they have the requisite knowledge of CSE’s legal authorities, requirements, and prohibitions, as required by the associated Ministerial Authorizations.
CSE’s response:
CSE agrees with this recommendation.
To supplement the existing mandatory annual training and testing that covers CSE’s legal authorities, requirements and prohibitions, CSE will consider developing a tailored training program for employees involved in the planning and execution of ACOs and DCOs.
Recommendation no. 8:
CSE and GAC should provide an assessment of the international legal regime applicable to the conduct of Active and Defensive Cyber Operations. Additionally, CSE should require that GAC conduct and document a thorough legal assessment of each operation’s compliance with international law.
Joint CSE and GAC response:
CSE and GAC partially agree with this recommendation.
In the time since this review concluded, GAC and CSE have continued to develop the process for assessing the international legal implications of cyber operations, with GAC’s Legal Bureau documenting a thorough legal assessment of each operation’s compliance with international law.
Procedurally, CSE submits a Mission Plan to GAC requesting a Foreign Policy Risk Assessment. Once received, GAC’s Legal Bureau leads a consultation process with Department of Justice (DOJ) counsel from both CSE’s and GAC’s Department of Legal Services (DLS), and in some cases, with DOJ counsel from the Constitutional, Administrative and International Law Section (CAILS), to discuss the international law implications of the planned operation as described in the Mission Plan. (U) These discussions are summarised in a written legal assessment recorded in the Foreign Policy Risk Assessment and are grounded in the international law analysis the GAC Legal Bureau has been developing over many years, including in the Government of Canada’s comments on the draft chapter of Tallinn Manual 2.0 in 2016, the development of the Draft Desk Book coordinated by GAC’s Legal Bureau and produced in August 2019, and the extensive legal analysis done in advance of the original ACO and DCO MAs.
GAC notes that it would be unusual to produce a comprehensive legal assessment of applicable law with respect to a range of potential or hypothetical operations that might be conducted by Canada, its allies and its adversaries in any field, cyber or otherwise. Rather it is GAC’s practice, like that of States generally, to produce legal assessments in relation to specific proposed activities or operations or court cases or other potential disputes.
GAC has consolidated its international legal analysis into a public statement on international law applicable to cyberspace. This public statement was developed and completed through extensive interdepartmental consultations among legal and policy experts, as well as an analysis of other national statements and leading publications and processes, including Tallinn Manual 2.0, the Swiss-led Expert Dialogue on International Law and Cyber, the Dutch-led Hague process, the Swiss-led Informal Consultations on International Humanitarian Law and Cyber Operations, the Oxford Process, and the US Cyber Command annual Legal Conference. Canada has joined like-minded and other nations in producing a public statement, in part to advance ongoing multilateral processes at the United Nations and elsewhere, to further develop common understandings and a broader consensus on how international law applies in cyberspace.
Recommendation no. 9:
CSE and GAC should communicate to one another all relevant information and any new developments relevant to assessing risks associated with a cyber operation, both in the planning phases and during its execution.
Joint CSE and GAC response:
CSE and GAC agree with this recommendation.
In the time since this review concluded, CSE and GAC have increased the frequency of working-level exchanges. Under the GAC-CSE Foreign Cyber Operations Governance Framework, GAC and CSE will bolster the existing points of contact and develop standard operating procedures for CSE and GAC to mutually provide any new information or developments relevant to a cyber operation.
