Backgrounder
This marks NSIRA’s second review of the Communications Security Establishment’s (CSE) Active Cyber Operations (ACOs) and Defensive Cyber Operations (DCOs). While the first review focused on planning, approval, and governance processes, this review assessed the operations themselves—specifically, how the governance and legal frameworks are applied in practice.
NSIRA found that the ACOs and DCOs reviewed were lawful. However, it identified areas where improvements could reduce operational risks.
ACOs and DCOs are recent tools in Canada’s foreign and security policy. ACOs are intended to disrupt or interfere with foreign actors to limit threats to Canada’s international relations, defence, or security. DCOs are designed to protect the electronic information and systems of federal institutions and other designated entities. Both types of operations fall under CSE’s mandate as defined in the Communications Security Establishment Act (the Act), and can only be conducted under a Ministerial Authorization.
Importantly, the Act prohibits ACOs and DCOs from targeting Canadians, individuals in Canada, or from infringing upon the Canadian Charter of Rights and Freedoms.
Specific legal requirements that must be met before the Minister can issue an Authorization for ACOs or DCOs. Additionally, unlike other types of Authorizations under the Act that involve information collection, ACO or DCO Ministerial Authorizations do not require approval by the Intelligence Commissioner. This increases the importance of close ministerial oversight. NSIRA found, however, that CSE’s applications for these Authorizations lacked certain key information needed for the Minister to make a fully informed decision. For example, the applications did not clearly explain how cyber operations could lead to the collection of information under a separate authorization, omitting important context for assessing legal and operational implications.
Although the primary focus of this review was on CSE, NSIRA also assessed the roles of Global Affairs Canada, the Canadian Security Intelligence Service, the Royal Canadian Mounted Police, and the Department of National Defence/Canadian Armed Forces, all of which are involved in varying degrees of coordination with CSE’s ACOs and DCOs. While collaboration between agencies exists, NSIRA found that there remains room for improved consultation and coordination.
NSIRA noted that CSE has made progress in refining its planning and execution of ACOs and DCOs, incorporating lessons from NSIRA’s previous review. The current review included four in-depth case studies, which informed both specific findings and broader recommendations.
