On February 14, 2022, the National Security and Intelligence Committee of Parliamentarians (NSICOP) released a report that explored how the Government of Canada sought to defend its systems and networks from cyber attack from 2001 onwards.1 The report provides a comprehensive account of how elements of the Government of Canada–namely the Treasury Board Secretariat (TBS), Shared Services Canada (SSC) and Communications Security Establishment (CSE)–have developed policies, procedures, and techniques to protect government systems, as well as the iterative learning processes that have occurred over the past two decades or so pertaining to governmental cyber defence activities.
I want to highlight four core things that emerge from my reading of the report:
- From an empirical point of view, it’s useful to know that the Government of Canada is preparing both a policy on paying ransomware operators as well as developing a Vulnerabilities Disclosure Policy (VDP) though the report does not indicate when either will be open to public comment or transformed into formal government policy;
- A high-level discussion of senior coordination committees is provided, though without an accompanying analysis of how effective these committees are in practice. In particular, the report does not discuss how, as an example, cross-departmental committees are working to overcome problems that are raised in the sections of the report focused on TBS, SSC, or the CSE;
- NSICOP maintains that all parties associated with the government–from Crown corporations, to government agencies, to other independent branches of government–should operate under the government’s security umbrella. NSICOP does not, however, make a constitutional argument for why this should be done nor assess the operational reasons for why agencies may not currently operate under this umbrella. Instead, the report narrowly argues there are minimal privacy impacts associated with enjoying the government’s cyber security protections. In doing so, the committee presumes that privacy concerns have driven separate branches of governments to operate outside policies set by TBS, and services offered by SSC and the CSE. At no point did the Committee engage with the Office of the Privacy Commissioner of Canada (OPC) to assess potential privacy issues associated with the government’s cyber security policies and practices; and
- NSICOP did not canvas a wide set of government agencies in their interviews and included no external-to-government parties. The consequence is that the report does not provide needed context for why some government agencies refuse to adopt TBS policy guidance or regulations, decline services operated by SSC, or have limited uptake or adoption of advice or technical systems offered by the CSE. The consequence is that this report does nothing to substantively assess challenges in how TBS, SSC, or the CSE themselves are deploying their defensive capacities across government based on the experiences of those on the receiving end of the proffered cyber security and defence offerings.
In this post, I conduct a deep dive into NSICOP’s report, entitled “National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack.” Throughout, I summarize a given section of the report before offering some analysis of it. In the conclusion of this post I summarize some of the broader concerns associated with the report, itself, as well as the broader implications these concerns may have for NSICOP’s long-term viability as an independent reviewer of the national security community.
The report opens with an example meant to showcase the effectiveness of Canada’s approach to defending its networks. Specifically, it notes that Chinese operators explored vulnerabilities in Microsoft Exchange email servers so as to develop long-term presences in affected and associated systems. However, the Treasury Board of Canada Secretariat (TBS), Shared Services Canada (SSC), and Canadian Centre for Cyber Security (CCCS) worked within government to ensure that requisite patches were applied. Only one government organization, the National Security and Intelligence Review Agency (NSIRA), failed to deploy the patches in time and were thus affected by the incident.2
NSICOP’s members have been interested in cyber threats since 2018 but deferred a review into how the government defended against, and responded to, these activities until this report “to avoid negatively affecting the implementation of recently announced changes to government machinery, notably the creation of the Canadian Centre for Cyber Security and the attendant changes in the roles and responsibilities of Shared Services Canada and Public Safety Canada” (2). Rather than taking an expansive assessment of cyber security the report’s focus is exclusively on ‘cyber defence’. Cyber defence is defined as, “the technical capability to discover and detect cyber incidents, and to develop and deploy measures to defend against them” (2).3
In the contemporary era, cyber defence is led by three key players: TBS, SSC, and the CSE. TBS plays a role by way of establishing directives and policies which apply across government. SSC is principally responsible for consolidating systems, services, and connections to minimize the attack surfaces presented to operators, while also placing government assets behind sensors that have been created and managed by the CSE. The CSE has been the lead in developing and deploying cyber defences, and possesses the technical knowledge to develop systems meant to protect government systems and services.
The report’s introduction concludes by citing a number of strategies concerning cyber defence that have been promulgated over the past two decades and, also, that since 2010 the government has invested in excess of $6 billion in defending government networks from cyber attacks. This works out to approximately $545 million dollars per year. To put this into context, the federal government’s last pre-pandemic budget of 2019-2020 included approximately $373.5 billion dollars in spending.
Analysis of Introduction
The most notable element of the introduction stems from the definition of cyber defence. While it might seem to exclude non-technical methods or processes which are intended to defend the Government of Canada against foreign operators, the report does regularly focus on the many non-technical elements linked with cyber defence and security through the aperture of policy documents and strategies which have been developed and promulgated to coordinate and enhance technical security. Also, the budgetary information provided suggests that the actual additional funds allocated to strengthen cyber security and defence is relatively meagre at under 1/15 of 1% of the budget.
Overview of the Report
The agencies which were involved in the review included the TBS, SSC, CSE, and Public Safety Canada (PSC). The review sought to understand the development of the frameworks (e.g., legislative, regulatory, policy, operational, administrative, or financial) pertaining to cyber defence as well as the evolution of what constitutes cyber defence and the nature of threats experienced or monitored by the Government of Canada. The review also examines the governance, coordination, and accountability structures associated with cyber defence activities, instances of cyber compromise, and the risks–such as privacy risks–linked with defensive activities.
The following were excluded from the review:
- Cyber defence activities linked to defending critical infrastructure outside of the Government of Canada were seen as too broad for this report;4
- Activities undertaken by the Government of Canada to defend the 2019 federal elections were excluded on the basis that a report had been done in 2020 and NSICOP has provided comments); and
- The government’s responses to cyber crimes were not reviewed given that such crime was outside the purview of NSICOP’s mandate and the RCMP was undertaking “significant changes” (6) in how it was investigating cybercrime.
Most of the committee’s work was based on documents provided by the agencies under review. These were supplemented by open source academic and public materials. Non-government subject matter experts were minimally (if at all) consulted “due to the pandemic” (6). Some briefings with, and appearances by, government experts took place despite the pandemic with NSICOP holding a total of 5 meetings with government officials for this report. Those meetings occurred between June 19, 2020 and August 11, 2021.
NSICOP front-loads a major conclusion of the report in their overview. Namely, ‘vertical’ crown corporations and certain government institutions need to set aside their discretion and opt into the government’s cyber defence framework. The discretion afforded to these bodies, the committee asserts, “were set in a pre-digital era and should be updated for new technologies and threats” (7).
Analysis of Overview of the Report
It was somewhat surprising that the committee only met with, or had briefings from, government officials 5 times in 13 months. It is possible that the Committee adopted this interview tempo on the basis that the large volume of documents it received largely satisfied its questions. It was, also, surprising and a bit confusing that the pandemic was used to justify the Committee or its staff not speaking with subject matter experts external to the government. From personal experience, I know that I as well as many colleagues have spoken to review organizations as well as engaged in sensitive national security conversations throughout the pandemic while using appropriately secured systems and protocols. It’s unclear from the report why NSICOP was unable to do the same.
While I won’t belabour the point here, as will become apparent throughout NSICOP’s report (and my analysis of it) the Committee’s assertion that independent bodies should enter into the government’s defensive perimeter is more challenging than it may initially appear. At no point does NSICOP seriously take up the more substantial potential challenges associated with this assertion and, instead, presents privacy concerns as the impediment to all government agencies and institutions using centralized Government of Canada cyber defence services.
Past Examinations of Cyber Defence Activities
The report outlines external and internal reviews that have been conducted over the past 20 years, and includes short summaries of external reports published by the Office of the Auditor General (2012 and 2015) as well as by the Senate’s Standing Committee on Banking, Trade, and Commerce (2018). The latter report suggested that “a new federal minister of cyber security” should be established, who would be responsible for federal cyber security and coordinate with the provinces, territorial governments, and the private sector (9).
The CSE Commissioner, also, conducted numerous assessments of the CSE’s activities. Stemming from such an assessment, some of the CSE’s cyber defence activities were seen as non-compliant with operational policies and procedures in 2006. This led to a temporary cessation of cyber defence activities until there was a restructuring of the ministerial authorization program and policy framework in October 2007. Fast forward to 2019, and the Intelligence Commissioner has noted deficiencies in cyber security authorizations made following the passage of the CSE Act, insofar as they have included “missing descriptions of outcomes, missing descriptions of the cyber security services received by clients and unexplained conditions that the Minister imposed on authorizations” (11). None of these deficiencies, however, have prevented the Intelligence Commissioner from asserting that the Minister’s conclusions were reasonable.
Internally, the Treasury Board Secretariat (2016), Office of the Comptroller General of Canada (2016), and Public Safety Canada (2017) all conducted reviews of the government’s handling of cyber security. These included assessments of how decisions were made, the governance and control frameworks associated with information technology security, and progress made to defend against cyber attacks.
In aggregate, the previous reports and findings from external and internal aspects of the government provide NSICOP with a lay of the land for what has been done, problems that were flagged previously, and thus should enable to Committee to assess the extent(s) to which problems or challenges have been overcome and the extent(s) to which some problems have long lingered.
Analysis of Past Examinations of Cyber Defence Activities
While it isn’t mentioned in NSICOP’s report there have been updates to the ministerial structure associated with cyber security and public safety. Specifically, the portfolio of the Minister of Public Safety and Emergency Preparedness has been split in two which should theoretically provide the Minister of Public Safety with more bandwidth to focus on cyber-related issues, along with others linked with their portfolio. This portfolio division, however, does not satisfy the Senate’s 2018 recommendation that a minister for cyber security be created. At no point does NSICOP’s report circle back to assess if the Senate’s recommendation holds today or if the division of responsibilities between different government agencies and coordinating bodies suffice.
Part I: Cyber Threats – what’s at stake and who is involved?
This section of the report starts by outlining threats posed to Canadians by cyber attacks, and specifically those linked to exposures of Canadians’ personal information, threats to information the government holds about businesses, intellectual property, research, and academic outputs, as well as threats pertaining to information about government policies and policy making. Other threats include to security and intelligence information and operations, and to the integrity of government systems. The variety of threats, and examples throughout, provide a good sense of the potential risks linked with exposures of information and, also, which federal bodies collect, use, and disclose these types of information.
NSICOP uses a CSE typography to identify six different categories of actors. These include nation-states, cybercriminals, hacktivists, terrorist groups, thrill-seekers, and insider threats. Most cybercriminals tend to be regarded as “moderately sophisticated threat actors” and largely fall outside the scope of the study, which focuses on “state-sponsored actors due to their high-level of sophistication and therefore greatest possibility of causing significant harm” (17). However, cybercriminals are recognized as operating as “criminal service providers” with the effect of enhancing the threat posed by even unsophisticated threat actors. China and Russia are seen as the principal threats alongside redacted other countries which are “investing heavily in their capacity” to effectively subvert Canada’s defensive measures (18).
NSICOP’s report provides significant details about the sensor networks which have been developed and operated by the CSE. The CCCS, which is part of the CSE, manages “three types of cyber defence sensors” that monitor for anomalies “across certain government departments, networks and cloud environment” (19). Since 2013 the defences provided by sensors are dynamic and since 2015 the volume of cyber incidents has declined and impacts been less significant. These defences largely enable the CCCS to “prevent the type of damage that in the past would have required targeted departments to completely rebuild their networks” (19).
In discussing modes of compromise, NSICOP again draws on the CCCS’ work to describe how beaconing, remote exploitation, remote access, malware artifacts, phishing, browser-based exploitation, data exfiltration, and denial of service function at a high level. The report redacts analysis that the CSE provided about these modes of compromise.
When it comes to naming specific threat actors, NSICOP follows other Canadian bodies to outline a set of ‘known’ adversaries while redacting the identities of others. China and Russia are identified as the most sophisticated actors, whereas Iran, North Korea, and one redacted country pose “moderate” threats. Three redacted countries pose “low” threats. The Committee “uses the name of the involved state when discussing both state actors and state-sponsored actors” (22).
NSICOP provides slightly different descriptions of how Chinese and Russian operations target academic or research bodies. Whereas China’s activities are intended to collect for the benefit of China’s economy or military, Russia’s operations are designed to principally collect foreign and military intelligence. Only Russia is described as performing reconnaissance of industrial systems and telecommunications providers, as well as undertaking work to determine where divisions in Canadian society exist that might be exploited through influence operations.5 While NSICOP’s report does not explicitly state that China relies on state-adjacent actors to conduct its operations it does make this linkage explicit when discussing Russia, asserting that the country “employs a number of non-state actors, including cybercriminals, private companies and so-called troll farms to conduct cyber threat activities on its behalf” (24). In addition to China and Russia, only North Korea’s threat activities are described (i.e., conducting criminal activities to collect currency for the regime); Iran’s motivations, and those of the four redacted moderate and low-threat states are not provided in the open source version of NSICOP’s report.
NSICOP spends some time focusing on ransomware when assessing the risks that criminal activities pose towards government networks. While the CSE assessed that ransomware constitutes a low proportion of the criminal activities targeting government systems, the agency recognizes that a single incident “could be devastating for an individual department” (26). At least one Crown corporation has been significantly affected by ransomware and, as of the time of writing the report, the government was “considering a policy on ransomware payments” (27).
Analysis of Part I: Cyber Threats – what’s at stake and who is involved?
In terms of outlining how the government assesses threat actors there is at least one group that seems to sit poorly in the categories provided in NSICOP’s report. Where, exactly, do the ‘cyber mercenary’ groups such as Hacking Team, FinFisher, NSO Group, Candiru, or Circles fit? These are all firms which have, or currently do, widely sold their products to states that may be unable to develop comparably sophisticated surveillance tools and programs. Are such companies operating as “criminal service providers”? Or are they situated as “state sponsored” operators and, if so, would that mean that a company such as NSO group would be considered sponsored by many (and often rivalrous) states?
The NSICOP report very helpfully officially discloses the elements of the sensor network that the CSE has developed, and which was first revealed in the Snowden disclosures around CASCADE and EONBLUE. I’ll set this aside, now, to return to in later sections of the report. NSICOP’s revelation stands in contradistinction to the CSE historical secretiveness about these defensive capabilities even while our allies (who use the CSE-made sensor network) have been open about their use of it.
While it is positive to hear that the sensor networks deployed by CSE have been effective in mitigating the worst cyber incidents that might afflict government, the result is to (in part) magnify the cyber incident that Global Affairs Canada began experiencing in January 2022; even a month after the incident the foreign ministry was “hobbled“, suggesting the incident was particularly serious.
When it comes to threat actors it was curious to see NSICOP explicitly reiterate that criminals and state-adjacent groups assisted Russia in its operations but the same wasn’t done in the unclassified text regarding China. Whether this was an oversight in drafting or, instead, meant to be an explicit call out is unclear. If done intentionally it’s unclear why and if it was an accident in drafting then it’s a shame this wasn’t caught in editing. Given the nature of having to try and read tea leaves when it comes to national security documents it’s imperative that only the relevant leaves are actually being deliberately left out in the open, and this report (and NSICOP’s relatively quietude) prevents the public from reading into its reports and writing.
I found it interesting to read the threat actors that were not present in the report: there was no mention of India or Pakistan, as an example, both of which have previously been documented as conducting intelligence operations within Canada. The same is true of allied countries which are known to be voracious intelligence collectors such as France or Israel. There are also a number of countries that are acquiring their cyber attack/intrusion capabilities by purchasing tools from cyber mercenaries, such as NSO Group: do such acquisitions constitute even moderate or low threat from the perspective of NSICOP or the agencies whose documents they based their report upon?
NSICOP arguably broke news when it reported that the Government of Canada was preparing a policy on paying ransomware ransoms, though the report does not provide any details about what this policy might look like or when it might be completed. Hopefully information about this policy will be promulgated and debated instead of simply being published by the government.6
However, what is perhaps most curious about this part of the report was a persistent assertion that nation-states were the principal threat actors to be concerned about while, at the same time, the report spends a significant amount of time discussing the roles of cybercriminal gangs and cybercrime more generally as it pertains to threats faced by the Government of Canada. While important to include, the way in which information in this section of the report is presented suggests the committee is actually quite attentive to cyber crime.
Part II: Evolution of the Government’s Framework for Cyber Defence
This section of the report provides a history for how the Government of Canada–and, most significantly, the CSE–has sought to defend government networks over the past 20 years. NSICOP starts its historical summary following the passage of the Anti-Terrorism Act in 2001, which established the CSE and its mandate in the National Defence Act (NDA). The authorities under the NDA provided the CSE with authorities to undertake “active network security testing to measure the security of specific government systems and networks and computer network defence activities to protect specific government systems and networks” (29, emphasis in original).
Starting in 2002 and 2003, the CSE began receiving Ministerial Authorizations (MA) to conduct tests of networks external to the CSE and Privy Council. These tests were, in part, driven by the Department of National Defence (DND) having detected an intrusion in 2003 and, in either 2003 or 2004,7 the CSE and Foreign Affairs Canada (FAC) detected Chinese government efforts to compromise their network. While in the case of DND the intrusion was detected “[i]n late 2003” and a MA to authorize the CSE’s actions were approved in January 2004, the MA approving the CSE to conduct active networks security testing for FAC’s systems was granted in June 2005. One thing that was somewhat surprising, when I first read it, was that the CSE had to obtain a MA even to conduct computer defence activities against its own networks; while this, in hindsight, makes some sense (on the basis that the CSE would have had to obtain access to private communications) it leaves open the question of the extent to which the CSE had been defending its own networks prior to receiving the relevant MA.
The CSE was forced to cease its efforts to develop active network security cyber defence capabilities between October 2006 and December 2007. This occurred because the CSE Commissioner found there were issues with how the CSE complied with its MAs between June 2005 and October 2006, which “called into question CSE compliance with the Privacy Act and the National Defence Act” (32).8 When activities resumed, all the active network security cyber defence operations were placed under a single ‘umbrella type’ MA that applied to all government departments and used a consistent policy framework. While the CSE continued to provide security assessments to various agencies this model of defending government systems largely stopped following 2012 on the basis that the CSE’s penetration tests always demonstrated that it could penetrate client agencies’ networks.
The umbrella MAs that the CSE operated under post-2008 were for active network security testing activities and computer network defence activities on government systems to protect against theft of sensitive information. With this MA the CSE could undertake: incident analysis, anomaly analysis, forensic intrusion analysis, incident reporting, and advanced tool development. Based on the authorities under this MA and associated sets of activities the CSE began to deploy sensors across Government of Canada networks. As a result, it detected intrusions and data exfiltration attributed to the Chinese government.
From 2010 to 2018 there were a number of policy shifts within the government that affected its cyber security stance. The first was the Cyber Security Strategy (2010) which allocated $205 million over five years to the CSE. This money was principally used to install network-based sensors to monitor departments for threats and to mitigate attacks, as well as to develop host-based sensors to deploy on government end points. Consequently, by 2013 the CSE was able to undertake dynamic defence to better monitor and proactively respond to threats “by blocking attacks at the government perimeter” (35).
At the same time that the CSE was developing its capacity the newly created Shared Services Canada (SSC) was tasked with consolidating information technology resources that were used across the government. In addition to providing threat monitoring, vulnerability assessment, and forensic services for its 43 core partners, SSC also reduced vulnerability by decreasing the attack surfaces presented to adversaries by consolidating “more than 720 government data centres to 381, with a goal to ultimately transition to 4 regional hubs, and reduc[ing] the number of Internet access points from approximately 100 to 2, with plans to add 3 regional hubs (for a total of 5 secure connections) and potentially 3 international hubs” (36). Moreover, and as part of policy development, responsibilities for cyber security management were more clearly divided: the RCMP was tasked to take on cyber security management for non-federal entities (including with provincial and territorial governments) whereas the CSE was responsible for undertaking operations and incident management for the federal government. The Deputy Ministers’ Committee on Cyber Security (DM Cyber Security) was created to facilitate coordination between CSE, TBS, SSC, CSIS, the RCMP, DND, and the Privy Council, though NSICOP notes that the efficacy of this committee was unclear due to a lack of documentation and a demonstrated ongoing confusion about the roles and responsibilities of the agencies represented on the committee. Finally, TBS was tasked with supporting governance and response to cyber incidents by creating standards, guidelines, and policies for government departments, which culminated with its Digital Operations Strategic Plan in 2018.
The government refreshed its strategy in 2015 given that cyber security had become an increasingly pressing issue. This led to providing funds for:
- enhanced threat intelligence collection and analysis and sharing of information with critical infrastructure providers, as well as the private sector more generally;
- increased partnership with telecommunications service providers; and
- additional resources to law enforcement to investigate and disrupt cyber crimes.
In 2018, the government released its National Cyber Security Strategy which included $508 million over 5 years, and $109 million annually thereafter. $155 million of the first sum and $45 million of the second went to the CSE. The Canadian Centre for Cyber Security (CCCS) was created, as well, which merged the CSE’s Information Technology Security program and Canada’s national CERT, the Canadian Cyber Incident Response Centre (CCIRC).9 As part of the National Cyber Security Strategy, CSIS was tasked with increasing “its work in cyber intelligence collection and cyber threat assessments to improve its cyber situational awareness and ability to provide advice to the government on issues of cyber relevance” (39). CSIS’ activities are not taken up at any later point in the report.
Analysis of Part II: Evolution of the Government’s Framework for Cyber Defence
Part II demonstrates that CSE and government agencies had to learn how to defend their systems in the same way as the private sector. The incremental pen-testing approach–and requirement to get individual MAs–arguably followed the patterns of the time. Some MAs, however, took longer to prepare than others: this isn’t something that was discussed in NSICOP’s report and thus it remains unclear why this was the case. Positively, NSICOP’s report gives us the historical tic tock of when, and why, the CSE switched from obtaining MAs for specific cyber defence operations to umbrella MAs to authorize a whole class of activities.
It was somewhat surprising to read that TBS only developed and promulgated a Digital Operations Strategic Plan in 2018. This detail raises questions about whether the government can react quickly enough to develop policies to respond to serious threats, especially when threat actors (based on the NSICOP report alone) have historically been quite successful in penetrating a wide number of critical government departments. Perhaps a speedier response is possible now that enough underlying work has been undertaken by the government, though this isn’t something that is considered or addressed in the report.
It’s worth recognizing that the CSE’s MAs were found deficient on the grounds that they may not have complied with the Privacy Act or the NDA, if only because the finding lays bare that the agency’s actions have not always been found to comply with law. The Office of the CSE Commissioner’s historical finding resonates with more recent reviews of the CSE’s activities which have, also, concluded that the CSE has run afoul of the Privacy Act. While CSE officials routinely assert that they operate in full conformity of the law, the NSICOP report makes clear that mistakes have been made.
Part III: Key Cyber Defence Player, Authorities and Activities
This part of NSICOP’s report offers a high-level survey of the agencies which are tasked with different elements of the government’s cyber security operations and policies. Unlike in past parts, here I break down the report into its component agencies to provide a bit of structure between summarizing NSICOP’s writing and providing my analyses of it.
Treasury Board Secretariat
The TBS allocated $6.4 million annually for cyber and security policy, which amounts to 21% of the CIO of Canada’s budget of $31 million dollars. While TBS is responsible for setting policies for much of the government as well as agencies for which the government either shares ownership, or participates in management or oversight operations, neither the House of Commons or Senate are subject to either the Financial Administration Act (FAA) or TBS policies.
The FAA can be used to impose mandatory cyber security and defence policies on government agencies and departments, though NSICOP’s report makes clear that failing to comply with TBS direction has not led agencies to suffer administrative consequences (45). The TBS has promulgated policies for government security as well as ‘Service and Digital’, which together are meant to set “the foundation for government cyber security and cyber defence” (46) while simultaneously requiring “officials to enhance programs by leveraging new services and technologies while proscribing key cyber security and cyber defence functions and responsibilities” (48). The third “foundational policy instrument” for cyber defence is the digital operations strategic plan. The plan has four pillars:
- Network consolidation, connectivity, and perimeter security. While SSC has undertaken work to implement this pillar and will have migrated a total of 104 departments to SSC-managed enterprise networks by 2024, no date has been set for when this policy will be considered completed.
- Secure endpoint devices. Implementing this requires deploying endpoint intrusion prevention systems and applications controls to let administrators identify/run permissible programs and is intended to compliment the CSE’s host-based sensors. This is expected to be completed in 2024.
- Improve access control and application development. This is meant to manage and control who has administrative controls over systems and reduce risks associated with parties taking advantage of elevated privileges. There is no timeline for this to be completed.
- Improve awareness of cyber threats and risks to the government’s systems and networks. This is meant to generally raise awareness but when NSICOP wrote their report TBS did not “currently have a deliverable date for this project”. Separately, “TBS and CSE will develop a government vulnerabilities disclosure framework that quickly identifies and mitigates vulnerabilities” (54). No date is set for this to be completed.
Analysis of Treasury Board Secretariat
The role of TBS is to create and establish, and track, policies which are promulgated across government. As such, its activities will often rely upon coordination with other agencies. TBS cannot be expected to ‘solve’ problems on its own. Still, having only $6.4 million allocated to fulfilling this function through the Office of the CIO seems low.
This section of the report continues to emphasize that there is a need for agencies and institutions, of all types, to be subject to the government’s cyber defence policies. Significantly, this would mean that even non-executive institutions, including the Commons and Senate, should thus be protected. As will be discussed later, this emphasis matters because the report regularly indicates that the executive should be permitted to extend its defensive services around institutions that are supposed to stand separate from the executive.
Perhaps the most significant policy presented in this section of the report is the government’s plans to create a Vulnerabilities Disclosure Policy (VDP). It will be curious to see how this evolves and how the VDP (which applies when vulnerabilities are found in government systems and reported to government or appropriate vendors) will intersect the CSE’s vulnerabilities Equities Management Framework (EMF). The EMF governs whether the CSE will keep secret, or disclose, vulnerabilities that it either discovers itself or are reported to the CSE based on the utility of vulnerabilities for the CSE’s espionage, defence, or cyber operations activities.10
Shared Services Canada
Shared Services Canada (SSC) is tasked with developing and extending digital services that can be adopted by federal departments and agencies. SSC is meant to bring an ‘enterprise management’ ethos to the whole of government, in part by consolidating services and systems such as email, data centres, and network services. As NSICOP notes, while “this consolidation was initially considered a cost-saving measure, the scope of the changes required necessitated considerable investments in following years” (55). In short, the cost-savings that were once promised have yet to materialize. SSC is not tasked with providing digital services to departments which are accredited to handle Top Secret information, nor to four organizations which “used specific systems to operate ships, aircraft or vehicles or to support operations in areas of national defence, national security or public safety” (56). When the report was written, SSC provided “some or all” services to 160 of 169 federal organizations (56).
SSC fulfills its responsibilities by providing ongoing protection of government digital assets and communicating how to manage digital assets held by departments, and implementing government-wide information infrastructure to protect government information assets against security threats. When it comes to Secret-level networks, SSC collaborates with the CCCS and provides the following services to departments:
- Digital Services. This includes providing email accounts, accessing services through secure networks, providing user identity and credential management services, providing mobile devices (e.g., cell phones), and running an identity verification system.
- Security services. This involves operating an internal and external credential management infrastructure (i.e, PKI infrastructure) as well as secure remote management services.
- Hardware and software services. This involves provisioning and procuring hardware, and offering a range of software-related procurements for clients.
- Data centre services. SSC brokers cloud services for government departments and provides this to its 43 partners, 23 SSC mandatory clients, and 15 optional clients for 81 clients total. SSC also operates the government’s Secret infrastructure which permits “the creation, processing, storage and sharing of information classified at the Secret level” (60).
- Network services. SSC operates the government’s Wide Area Network and an enterprise Internet service. The Internet service has “built-in security monitoring and enhanced security protocols” that result from integrating some of CSE’s cyber defence functionalities (61).
Part of SSC’s reason to exist is to prevent serious breaches of government systems. Between 2010-2011 a Chinese actor was detected targeting 31 departments with 8 “suffering severe compromises. Information losses were considerable, including email communications of senior government officials; mass exfiltration of information from several departments, including briefing notes, strategy documents and Secret information; and password and file system data” (63). This was seen as a wake up call, with NSICOP asserting that at the time “government networks were an easy and valuable target for Chinese state-sponsored threat actors, as they were essentially undefended and used to store classified information in the absence of a secure alternative” (63). It was the CSE’s deployment of sensors that was seen as a turning point, based on documents that the CSE itself authored and presented to NSICOP for review.
At time of writing, SSC had three classes of cyber security projects.
- Identity and access control.
- Connectivity. In addition to building out perimeter security, secure cloud systems, and expanding the infrastructure that can handle up to Secret information, the SSC was building on a CSE proof of concept to provide secure phone and mobile data connections. This was expected to scale to 10,000 users.
- Monitoring. The report recognized that “proactive monitoring enables administrates to rapidly identify and address security events on network devices” (67) but, at the same time, SSC’s security information and event management are not standardized across clients. Based on footnote 244 it appears as though this is because the CCCS may not have appropriately configured or operated the platforms providing services to end users. Otherwise, SSC was undertaking normal activities to automate the “monitoring of deployed devices and network connections and assessing their security posture against known vulnerabilities or emerging cyber threats” (67).
SSC has a number of different types of clients. It has 43 core partners which transferred their budgets pertaining to email, data centres and network services to SSC and, consequently, do not pay a fee to use SSC’s infrastructure. There are 39 mandatory clients, which must use SSC’s services “in areas of email, data centres, networks and endpoint devices, or to procure other digital infrastructure” and which pay SSC on a cost-recovery basis. Finally, there are 78 optional clients which may request SSC services on a cost-recovery basis.
Mandatory and optional clients do not receive all their services through SSC, with the effect of posing security risks since they do not receive the CCCS’s monitoring, may not necessarily use the government’s secured connectivity services, and have limited personnel to address security issues. Many of these clients have fewer than 500 staff and operating budgets under $300 million per year. NSICOP raises concerns that these smaller organizations, if compromised, could suffer losses of their own digital assets and potentially enable operators to move to other government networks.
While SSC has plans to bring an additional 61 clients under the government’s security umbrella, inclusive of all mandatory clients and small departments and agencies, there is neither a budget nor timeline associated with this plan (70).
Analysis of Shared Services Canada
To begin, it’s worth recognizing that per NSICOP’s report SSC has received in excess of $4 billion in building out shared infrastructures. This is considerably more funding than was first envisioned. While SSC is responsible for email, data centres, and networks, it is the responsibility of departments to provide service management and delivery to end point devices as well as applications that are used by department staff.
Most of the activities undertaken by SSC are typical for a body responsible for offering services across an enterprise. However, the cost-recovery financial model arguably functions as a source of tension when it comes to smaller organizations that either cannot afford SSC’s recovery prices or are dissatisfied with the levels of service or options of services delivered, and which may not fit a given department’s needs or requirements.
In the discussion of SSC’s event monitoring it appears that the CCCS is being blamed for not properly configuring the requisite systems; as such, there is a framing of SSC having helped to secure government systems, in part by using the CCCS’s sensors, while at the same time the sensors provided by the CCCS aren’t necessarily operating as needed. Further, despite the security risks that some small organizations and departments pose, and notwithstanding an aspirational goal to protect them, there is no budget or time frame associated with defending these agencies. Put another way, while SSC knows there’s a problem, those smaller organizations are left in the cold to defend themselves, despite the harms that could befall Canadians should these agencies be successfully targeted.
The Communications Security Establishment
For the purposes of NSICOP’s review, it focuses on the elements of the CSE’s mandate pertaining to cyber security and information assurance, and its defensive cyber operations. Whereas the former can involve securing government systems and networks the latter empowers the CSE–after approval from the Minister of National Defence and following consultation with the Minister of foreign Affairs–to undertake operations on foreign networks and systems to protect information and infrastructure that are either operated by federal institutions or by parties designated as being of importance to the government.
NSICOP’s report discusses the governance of the CSE’s operations following a recitation of how the CSE Act empowers the CSE to undertake the aforementioned elements of its mandate. As of the time of writing in August 2021, the following Ministerial Authorizations had been issued:
|Type of Authorization||2019-2020||2020-2021||Unclear|
|Cyber Security — Federal Infrastructure||1||1||NA|
|Cyber Security — Non-Federal Infrastructure||?||?||1|
|Defensive Cyber Operations||111||112||NA|
The CSE’s activities must be consistent with Ministerial Directives. At the time NSICOP wrote its report only one directive guided the CSE’s activities: the Ministerial Directive on the Government of Canada Intelligence Priorities. Past directives, including on Accountability to the Minister, Privacy of Canadians, Collection and Use of Metadata, Management of Third-Party Relationships, and Avoiding Complicity in the Mistreatment by Foreign Entities have not been reissued since the passage of the CSE Act in 2019. The passage of that act led to the repeal of the aforementioned directives.
The Minister has issued two orders that designate classes of electronic information and infrastructure as of importance to the government, with the first being issued in July 2019, and then repealed and updated in August 2020. No details are provided about what was updated. The current order has no expiry date and includes:
- Canada’s 10 critical infrastructure sectors: government (federal, provincial, territorial, municipal and indigenous), energy and utilities, information and communications technology, finance, food, health, water, transportation, safety, and manufacturing;
- information related to the well-being of Canadians and the infrastructure lawfully containing it;
- entities that support the protection of electronic information and information infrastructures of importance to the government;
- multilateral organizations located in Canada in which the government is a member;
- registered Canadian federal, provincial, and territorial political parties and their electronic information and information infrastructures; and
- post-secondary educational institutions (80).
The CSE can only deploy its cyber defence sensors or conduct a defensive cyber operation when operating under a relevant ministerial authorization. When the report was written, the CSE had deployed sensors to a non-federal institution to defend it against operations conducted by a state actor.13 This deployment is worth highlighting, if only because the entity that was defended was not amongst those considered by the CSE when its authorizing legislation was drafted (telecommunications companies were a key party expected to receive assistance from the CSE). NSICOP sees the extension of the CSE’s capabilities to unintended parties as an issue on the basis that NSICOP believes that the CSE’s authorities “must be flexible enough to respond to new challenges” (81) and, also, that it took some time for the CSE to provide these capabilities. Concerning this last point, NSICOP warns that the “government must continue to consider practical means for CSE to respond quickly to rapidly emerging cyber threats while ensuring adequate ministerial control and accountability” (81).
There have also been two ministerial orders which have been issued concerning who can receive information from the CSE that could be used to identify a Canadian or a person in Canada. The first was issued in July 2019, and then repealed and updated in August 2020; the other, a current order, does not expire. The full list of classes of entities is denoted on page 82; there is one redacted foreign group that can receive this information. Further, “foreign or domestic cyber security organizations that support the protection of electronic information and information infrastructures of importance to the government and entities involved in cyber security research and development with which CSE has a partnership” can also receive this information (82).
The CSE undertakes a number of cyber defence-related activities, including providing guidance and advice, using sensors in government and non-government networks, and conducting defensive cyber operations. NSICOP’s report discloses the number of directives the CSE has operated under, as well as cyber defence reports and threat assessments issued by the CSE.
|Directives||2012 – 2019||11|
|Alerts, Advisories, or Warnings||December 2013 – May 2021||1, 721|
|Cyber defence reports and threat assessments||Not Included in report||Not included in report|
The CSE deploys and operates three classes of sensors: host-based, network-based, and cloud-based sensors. All are designed to recognize particular threats and patterns, and upon detecting threats or patterns the sensors may respond to mitigate the incident or a CSE analyst may undertake further analysis. Mitigation includes “blocking of a malicious connection at the network gateway or the removal of malware from a computer” and entails sharing information to “CSE partners and clients, inside and outside of government” (86). These sensors acquire an “extensive” breadth of information, inclusive of the content of communications and associated metadata. Since 2019, government departments must have agreements in place with the CSE to deploy cloud-based sensors before initiating cloud residency.
The CSE has deployed 583,809 host-based sensors at the time the report was written. The precise number of departments under this security umbrella is redacted, as are the expected number of departments that will receive host-based sensors in the future. The report does not indicate when the CSE or government departments expect to complete the planned deployments.
Network-based sensors were first deployed in 2006. Today, they are integrated as part of SSC’s Enterprise Internet Service, as well as deployed to organizations where the CSE has bilateral agreements in place. When malicious activity is encountered on one sensor the associated indicators of compromise can be pushed to other sensors to provide protection to all clients and network gateways. NSICOP’s report indicates that consistent records for the number of deployed network-based sensors only began in 2019-2020, though the number of sensors and protected departments is redacted.
Cloud-based sensors were mandated by TBS in 2019 and their deployment was accelerated following the onset of the COVID-19 pandemic as departments moved to cloud-based applications to enable remote work. The specific capabilities of these sensors are redacted in NSICOP’s open source report.
NSICOP provides an example of where a department was compromised and appears to engage in victim blaming. Specifically, there is a Crown corporation which was not subject to TBS direction and did not use SCC’s Enterprise Internet Service. SSC shutdown the corporation’s “weak single-factor authentication service” and, subsequently, the corporation reversed this decision “despite a stronger alternative being available within two weeks” (95). The report asserts that the corporation’s decision was “a key factor in the cyber attack” but, in doing so, seems to have not assessed whether the two-week delay for multi-factor authentication was a serious issue or whether the immediate availability of multi-factor authentication–as opposed to a two week delay–would have led the corporation to agree to the switch. In effect, instead of centring on SSC’s failure to seemingly provide practical security advice and services the corporation is blamed for focusing on maintaining its operations, which is presumably core to its mandate.
While the CSE can undertake defensive cyber operations, and has obtained Ministerial Authorizations to conduct them, it had not exercised this element of its mandate at the time that NSICOP’s report was completed. The report does, however, spell out the conditions that must be met for such an operation to be carried out:
- When a cyber threat is of such sophistication that neither commercially available defences nor CSE’s classified sensors are sufficient to counter it;
- When a compromise has progressed to a stage that already-deployed sensors are no longer capable of mitigating it; and
- When a cyber threat is of such scope and scale, affecting so many federal institutions and designated non-federal entities, that deploying sensors could not be done in a timely manner to mitigate the threat. (96)14
The specifics of any defensive cyber operations, or foreign intelligence or active cyber operations activities associated with defensive cyber operations, are left redacted. Similarly, it is unclear how many compromises of government systems and networks have occurred since 2015 (or the number of incidents that involve advanced persistent threats), or how many compromises included the exfiltration of information. There has, however, been an increase in the number of ‘cyber defence reports’ which CSE has produced, from 961 in 2015-2016 to 4,379 in 2019-2020 (97).
The section on the CSE concludes with a warning that not all government organizations are protected by host-, network-, or cloud-based sensors. The reasons include “concerns about independence and cost of service” though NSICOP hastens to assert that privacy should not be a reason to avoid adopting CSE’s protective systems. It argues that, per the former Office of the CSE Commissioner, “the vast majority of private communication unintentionally intercepted by CSE contained only malicious code and efforts to tailor a message to entice the target to open its content … those intercepted private communications contained no consequential information or exchange of any personal information and therefore should not be considered “private communications” as defined by the Criminal Code.” As such, per NSICOP:
The fact that CSE cyber defence activities entail relatively few privacy risks to Canadians or owners of systems and networks on which CSE sensors are deployed should be an important factor for organizations that cite independence as the reason for remaining outside of the government’s cyber defence framework (99).
Analysis of The Communications Security Establishment
To begin, it’s worth asking the question of why so many of the ministerial directives that once guided the CSE’s activities have been repealed following the passage of the CSE Act. While it is possible that the government is of the opinion that the Act sufficiently ensconced these directives into CSE’s authorizing legislation, NSICOP has not done the work to show this is the case to readers. It’s unfortunate that it has simply described the state of affairs instead of carrying out an analysis of the implication of the current state.
The breadth of what includes electronic information and information infrastructures of importance to the government is sufficiently vast and vague that it is unclear how much of Canadian society might not be defended by CSE sensors at any given time. What precisely is included (or, for that matter, not included) as “information related to the well-being of Canadians” (80)? What entities are included amongst those “that support the protection of electronic information and information infrastructures of importance to the government” (80) and what might a cost-sharing look like between the CSE and Government of Canada, and external to government organizations? Furthermore, what is the CSE’s capacity to provide assistance to non-government organizations, and might assistance entail providing host-, network-, or cloud-based sensors? While there was an opportunity for NSICOP to move beyond reciting the government’s provided documents and explain in detail what these categories meant, the Committee chose to not do so in this report.
The report makes clear that post-secondary institutions, such as universities, might also expect to receive either advice or services from the CSE as a result of being designated as ‘of importance’ by the government. Indeed, this may be an increasingly real possibility given the pressures that are being placed on universities and colleges to be wary of human- and cyber-enabled espionage.
While NSICOP does note it has an “issue” with how the CSE has provided sensors to a non-federal institution (on the basis that the institutional type was not envisioned as a recipient in the lead-up to the CSE Act being passed into law) the CSE did not exceed its authorizing legislation. As such, it is within the realm of possibility that the CSE might be in a situation to deploy sensors on other networks and select end-point devices at some point in the future in excess of what was imagined when the CSE Act was drafted. It’s not apparent that NSICOP would have a privacy-based concern with this as they do not think that the CSE’s defensive functions raise meaningful privacy risks and thus argue for other independent branches of government to operate under the executive’s defensive umbrella. Why, if constitutional independence is not an issue, would the review body consider it a problem if other elements of the public or private sectors were, also, brought beneath the CSE’s security umbrella?
At the same time, and within the context of deploying CSE capabilities to non-government organizations, NSICOP argues that the CSE should be empowered to more rapidly respond to threats as they arise. It is unclear what NSICOP believes that the CSE should be authorized to do, though broader discretion to interpret their authorities seems to be the recommendation. How, precisely, the CSE should be permitted to defensively operate outside the perimeter of government systems “at the speed of cyber” is not clearly cabined in any precise way. The result is to, seemingly, call for expanded discretion so the CSE can provide defensive services outside of government systems at the speed of cyber but without setting out possible redlines to delimit the CSE’s activities.
A number of entities are authorized to receive information from the CSE which relates to a Canadian or a person in Canada. In describing foreign entities that the CSE has established relationships, it includes “Five Eyes partners, ***, and foreign computer security incident response teams” as well as “foreign or domestic cyber security organizations that support the protection of electronic information and information infrastructures of importance to the government and entities involved in cyber security research and development with which CSE has a partnership” (82). It is unclear with whom, exactly, the CSE has established foreign relationships. Regarding foreign and domestic cyber security organizations, it would have been helpful for NSICOP to provide examples of who this might include: does it include organizations such as the Canadian Cyber Threat Exchange? Threat intelligence companies? Security research and development companies that work with the Five Eyes, and which are involved in producing malware or exploits for CSE and its closest partners, such as Azimuth Security? Or other classes of parties entirely?
Finally, the NSICOP report contains a confusing redaction, on page 96:
[Defensive cyber] operations would involve *** to install, maintain, copy, distribute, search, modify, disrupt, delete or intercept anything …]
This language reads directly from the CSE Act, and pertains to both foreign intelligence operations as well as defensive and active (i.e., offensive) cyber operations. The redaction leaves it unclear if the redacted text refers again to defensive operations (which would be strange if defensive operations involve defensive operations) or, instead, that defensive operations involve foreign intelligence or active cyber operations instead. If we presume the latter, this seems to demonstrate that the elements of the CSE’s mandate are interwoven and, thus, that restrictions associated with some elements of CSE’s mandate might be finessed away through bringing multiple aspects of the CSE’s five-part mandate to bear to any given operation.
Summary Analysis of Part III: Key Cyber Defence Player, Authorities and Activities
This section of the report provided a significant amount of new information to individuals who research Canada’s national security community. To begin, it clarifies the roles of TBS, SSC, and the CSE. However, the different sections of the report indicate important tensions in the basic framing of defensive activities undertaken to protect government systems and those non-governmental systems that have been designated as important by the government.
First, we see that despite the promulgation of policies and directives from TBS they are not all adopted, and that there are no disciplinary actions associated with ignoring or setting aside these policies and directives. At the same time, there is a seemingly small budget in the CIO of the Treasury Board to actually coordinate, educate, and enforce these directives.
Second, we see that many of the challenges in encouraging uptake of SSC offerings–which often include defensive capabilities developed by the CSE–are linked to cost and risks to independence. With regards to cost, NSICOP tends to adopt a position of blaming smaller organizations for not adopting SSC service offerings but does not, at any point in its review, engage with agencies that have made this decision. To be charitable, offerings from SSC have not always been greeted with open arms from agencies and departments that are reliant on them. There have been incredibly prominent conflicts within the government linked to the capabilities that SSC actually provides and the responsiveness of the organization where issues have arisen with its services. Moreover, we learn that while the sensor systems deployed by the CSE are apparently excellent, they are not necessarily configured in a standard way to facilitate “full visibility over government networks to identify risks and to respond to incidents quickly, resulting in inconsistent accountability for network monitoring across government” (67). This calls into question the fullness of the security benefits afforded by entirely adopting the services provided by SSC.
When we look at how the CSE provides defensive capabilities to government departments a great deal of information associated with its sensors is now on the record. It’s worth recognizing that the CSE has historically been absolutely loath to provide information about these, to the point where Canada’s allies–such as the UK, which use Canada’s technologies–have been the place to go to learn about Canada’s own technologies.
NSICOP’s high-level recommendation that independent parts of the government, such as the parliament or judiciary, get over their concerns of independence to scurry under the executive branch’s security umbrella is very strange advice because of the nature of NSICOP as a committee of parliamentarians within the executive. Part of the problem stems from NSICOP’s operating from within the executive and telling non-executive branches of government what to do: it comes across as one branch of government attempting to (at least potentially) subvert the independence of other branches. If, however, NSICOP was a parliamentary committee then at least a body that was independent of the executive would be seen as coming to the conclusion. As NSICOP is currently situated, however, it leaves open the question of whether its members arrived at an independent conclusion as parliamentarians or if, instead, the members have been so captured by either the executive or the security agencies associated with the executive that they are ignorant or unaware of the profoundness of the argument they are making.
Moreover, in relying on the Office of the CSE Commissioner to argue that there are few, if any, privacy concerns linked with the CSE’s surveillance of telecommunications traffic, NSICOP is implicitly accepting that the Commissioner is correct in its (historical) judgements. A review published by the National Security and Intelligence Review Agency (NSIRA) called into question the extent to which the CSE can continue to rely on at least some of those historical interpretations: NSICOP, in accepting the Commissioner’s position, appears to potentially be putting the two review bodies on opposite sides of the question of whether the Commissioner was correct in how it historically assessed the CSE’s activities through the lens of the Privacy Act.
It is possible that the Commissioner was correct as it pertains to network sensors monitoring private communications. But, frankly, the Commissioner’s office was sufficiently constrained in how it could come to conclusions of legality that more time–and especially greater legal argumentation and analysis–should have been undertaken by NSICOP. This is especially the case given that the Commissioner’s correctness of interpreting the Privacy Act has been called into question. To have not done this work is profoundly concerning and calls into question the ability of NSICOP to independently analyse facts that arise and seemingly pertain to reviews it is undertaking.
Part IV: Governance of Cyber Defence
This section of NSICOP’s report outlines the different committees and seniors groups that meet within government to coordinate cyber defence activities, including in the case of an ‘attack’ or operation that is undertaken against the Canadian government. It details how often different committees meet and their respective mandates, as well as which groups, committees, and departments are responsible for different cyber defensive activities.
While the Deputy Ministers’ Committee on Cyber Security, its Associate Deputy Ministers counterpart, and the Assistant Deputy Minister Information Technology Security Tripartite Committee are described, they are not actually assessed. Moreover, the report summarizes the public Cyber Security Event Management Plan and response levels, and states that no Level 4 incidents have occurred as of the time the report was written. Such incidents are considered “severe catastrophic events” and would lead to a harmonized government response to emergencies. No specific example of what this might look like, in practice, is provided.
Analysis of Part IV: Governance of Cyber Defence
This section of the report does summarize and bring to light some of the processes within the government for handling cyber security incidents. However, beyond describing the expected or intended way that governance should take place it does not go so far as to outline where these governance mechanisms are working well, merely adequately, or require remediation. In light of difficulties associated with TBS enforcing its policies, SSC providing services in ways that can be taken up by all government departments and agencies, and proposals to subjugate independent branches of government to executive defensive systems, it seems strange that no analysis was done to determine why higher-level committees within government have not taken up or ameliorated the problems found in the review body’s assessment of key cyber security agencies.
Part V: The Committee’s Assessment of the Cyber Defence Framework
This section of the report begins by asserting that “[w]here other states have recently fallen victim to successful cyber exploitations or ransomware attacks, Canada has either blocked the attacks or limited their worst effects,” though it is notable that proximate to the time this report was released that Global Affairs Canada suffered a seemingly significant, if not catastrophic, cyber incident. Some time after the report was published, the National Research Council also suffered a ‘cyber incident’. Nonetheless, NSICOP generally congratulates the government for its progress in building its defensive capacities and offers three assessments.
First, there should be uniform application of Treasury Board policies and directives. The process by which this could occur, however, is not clear from the assessment: there are no calls for legislative reform to the Financial Administration Act or other legislation which would extend TBS’s authority to compel more agencies to adopt the policies and directives that it has promulgated. However, reading between the lines, this may be what NSICOP is implicitly calling for.
Second, SSC’s service offerings are not being adopted as widely as NSICOP believes is desirable. This is happening, at least in part, because of the funding models associated with these services (i.e., a la carte and cost-recovery) and in part due to which agencies and departments must use SSC services versus those that have the option of using SSC services. NSICOP is calling for an expansion of who must use SSC services and, also, enhanced funding for smaller departments and organizations so they can afford SSC’s cost-recovery model of operation.
Third, more government departments need to avail themselves of the CSE’s defensive capabilities. NSICOP is particularly worried about Crown corporations being outside the CSE’s security umbrella. At the same time, NSICOP is worried about institutions that stay outside the security umbrella on the basis that they are deliberately maintaining their independence from the executive, including those which are responsible for the administration of justice, as well as administering Canada’s financial and economic systems. NSICOP appears to believe that the reason such independent bodies are hesitant to gather under the executive security umbrella is due to privacy concerns, as opposed to broader concerns of constitutional independence from the executive. The Committee generally believes that privacy should not be a reason to set aside protections offered by the CSE or the rest of the Government of Canada.
Analysis of Part V: The Committee’s Assessment of the Cyber Defence Framework
The assessments drawn by NSICOP, as a result of their having exclusively spoken with, or read documentation from, CSE, SSC, TBS, and Public Safety Canada (PSC), are both expected in some cases, and surprising in others. At no point did NSICOP speak with agencies which receive services from the aforementioned agencies. The result is the Committee holds that Crown corporations and other independent bodies–such as Parliament and Judiciary–should set aside concerns of independence to work more closely with the executive branch of government. From a practical ‘how do we protect things’ perspective this may be a desirable outcome but the very ‘assessment’ (read: recommendation) does not include a debate about the associated constitutional or legal considerations associated with such a decision. The report does not meaningfully engage in any debate concerning the structures of power, or why independence is important. Instead the report, and NSICOP, appears to presume that independence is not operationally important when it comes to cyber security, and that privacy concerns are the reason that independent bodies may be hesitant to adopt the CSE’s protections, along with those from SSC and policies from TBS. In doing so, NSICOP comes across as either deeply ignorant of the division of powers as appreciated by other agencies and branches of government, at best, or captured by the executive and thus is parroting the opinions of security agencies at worst. Neither is a good look.
There are only a few moments in the report that indicate there may be challenges or difficulties in how the lead agencies responsible for cyber security and defence are operating. As an example, when SSC cut off an agency’s single-factor authentication without an immediate technical solution, NSICOP asserted that the affected agency was responsible for the subsequent security incident because it couldn’t wait for two weeks while SSC implemented a multi-factor authentication process. From this incident, NSICOP could have assessed that it is important for SSC to have immediate solutions when it attempts to deprecate existing technical infrastructure used by agencies. The Committee’s report does not, however, diagnose the example in this way. As such, it seems that NSICOP does not think that SSC needs to be able to have systems ready to immediately activate when they make recommendations or take actions towards other departments, with the effect that it may be permissible for agencies or departments to be unable to fulfil their mandates and missions while they wait for SSC to provide the requisite technical solutions. As anyone who has worked in cyber security knows, it is imperative that solutions better empower clients instead of stopping them from undertaking and fulfilling their core businesses. Doing otherwise dramatically increases the likelihood that the client will find ways around and through any ‘solutions’ which are offered. It seems as though this position is either not understood or appreciated by NSICOP based on its report.
While NSICOP praises the CSE for its defensive capabilities it does not inspect or assess how the CSE might better configure or manage its sensors to overcome challenges that SSC itself identified. It is unclear why this did not rise to the level of an assessment at the conclusion of the report; if a technical system is not operating effectively, then surely work should be done instead of uniformly praising a system that may be quite good but nonetheless not operating at full capacity as described by one of the key security agencies in government.
In looking to privacy as a potential concern associated with the government defensive security operations, NSICOP did not appear to have assessed the actual legal analysis undertaken by the Office of the CSE Commissioner, which was a significant omission given the recent dispute between how the Commissioner and NSIRA have interpreted the Act with regards to the CSE’s handing of personal information. At a minimum, a review body should be skeptical and critical of the information it is relying upon and seek to verify claims that are made; this is especially true when relying on what might be contentious decisions. This doesn’t appear to have been done, however, with the effect that there is a seeming divide potentially arising in legal interpretations of the Privacy Act and the CSE’s operations; what might happen should NSIRA come to a different conclusion about the privacy implications of CSE’s sensors? Moreover, while NSICOP asserts that privacy isn’t a problem with regards to the CSE’s sensors the Committee did not receive a briefing from the Office of the Privacy Commissioner of Canada. It is mystifying why the governmental experts on privacy were not consulted as part of this report if privacy is being raised as a serious hindrance towards adopting government defensive systems.
Finally, the assessment of the CSE’s sensor network leaves open some questions. To what extent are different foreign governments and the Canadian government sharing threat information, which is subsequently integrated into the common sensors used by Canada and the UK, as an example? What is the relationship, if any, in how sensor networks operate? How automated, if at all, are such sensor threat updates? To what extent do the sensors trigger false positives or otherwise impede the ability of government agencies to carry out business? How did NSICOP go about technically verifying that the information they received from the CSE about how the various sensors systems operate is, in fact, accurate and in conformity with Canadian law? All of these questions are somewhat obvious upon inspecting past historical slides concerning the CSE’s defensive cyber sensors and likely would have been raised to the Committee had they spoken to non-government experts who have studied them for the past decade.
It is entirely possible that the answers to the aforementioned questions are, in order: there is no threat intel sharing, the sensor networks in different jurisdictions are 100% independent and just use a common baseline technology, there are no automated update systems, no significant false positive events occur, and redactions mean that NSICOP’s critical technical and legal assessments must remain out of public eye. Nonetheless, NSICOP either didn’t choose to conduct these basic, and important, assessments in the course of its review or their questions and answers were suppressed in the open source version of their report.
This report is useful for presenting information that wasn’t previously on the public record. However, NSICOP’s report is not critical and did not sufficiently canvass organizations or experts outside of the government security community to have produced a critical report or series of assessments: departments serviced by TBS, SSC, and the CSE were not interviewed. The Office of the Privacy Commissioner of Canada wasn’t involved to share information on the privacy implications of the CSE’s sensor network. External experts from industry or civil society were not consulted for entirely unclear reasons. And, even within the bubble that NSICOP chose to confine itself, it was only able to conduct interviews five times over a full year.
This report is useful for researchers insofar as more data is available but the report does little to demonstrate NSICOP’s independence within the executive. NSICOP argues in this report that the unwillingness of the judiciary and other branches of government to use the executive’s cyber security defences is really about privacy as opposed to being due to divisions of power or need for the judiciary and legislative assembly to avoid being perceived as in league with the executive branch. One would hope that a body composed of parliamentarians and senators from across Canada’s largest political parties would appreciate the need for the legislative assembly’s independence or, at a minimum, make strong arguments as to why such independence is not really important in the context of the executive branch’s cyber security and defence systems. In making such an argument, of course, their report would have needed to speak directly to the concerns raised from within the judiciary, parliament, senate, and independent government agencies. Moreover, the Committee would have needed to interact directly with financial institutions and Crown corporations to understand why they have sought to retain their independence so as to explain–from NSICOP’s position–that such independence is overrated or unnecessary. Sadly NSICOP either decided these kinds of discussions and briefings weren’t important or didn’t realize it needed to engage in these sorts of discussions for its ‘assessments’ to carry much weight. It’s unclear which of these rationales is worse.
In the end, NSICOP’s report could have just as easily been written as a shared publication by the Treasury Board Secretariat, Shared Services Canada, the Communications Security Establishment, and Public Safety Canada. The assessments or recommendations are largely uncritical of these agencies themselves and ignore the importance of the division of power within and across government. The report seems to be the product of an insular set of readings and interviews and without an eye to critically evaluate how to broadly improve the defensive functions surrounding government departments while also looking for ways to meaningfully enhance how the specific parts of government go about providing cyber security and defence services. That’s not to say that some recommendations for potentially improving cyber security aren’t present, of course, but merely that the recommendations–or assessments–could have been much broader in scope than was offered in the report.
Given the publicly aired concerns that have been raised about the risk that NSICOP might be captured or exploited by the executive, I would have expected and hoped that its members would strive to demonstrate their independence by applying a critical edge when it came to their review of cyber security and defence. Unfortunately the Committee seems to have not done so either because they didn’t believe they needed to or because they considered this report to be critical. It is not a critical report and, as such, risks reifying perceptions that NSICOP serves the executive or carries its water, with the effect of unfortunately lending ammunition to those who call into question whether NSICOP operates as an effective review body or as a pro-government executive committee instead.
I want to express my profound appreciation to the individuals who have spoken with me about NSICOP’s report and who helped me reflect on several elements of my analysis of NSICOP’s work. Your contributions have made this writing better. Any errors remain my own.
- I’ve uploaded a copy as a .pdf to this website to ensure readers can obtain a copy if the official government URL changes. Download “National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack.” ↩︎
- This led NSIRA to tersely announce it had suffered a cyber incident . ↩︎
- This definition is derived from a Government of Canada document that is not currently publicly accessible. ↩︎
- Despite this not being a focus some time is briefly spent noting that a non-federal system has been defended under the CSE’s mandate. ↩︎
- The threat assessment regarding Canadian industrial systems stands in contradistinction to the United States where the ODNI’s 2019 “Worldwide Threat Assessment of the US Intelligence Community” recognized that Russia might be able to cause temporary disruption to critical systems (e.g., energy) for a few hours similar to their attacks towards Ukraine in 2016, whereas China was recognized as possessing “the ability to launch cyber attacks that cause localized, temporary disruptive effects on critical infrastructure-such as disruption of a natural gas pipeline for days to weeks” (5). ↩︎
- Assuming, of course, that the government plans to publish a finished policy in the first place! ↩︎
- As written, the text is unclear whether the intrusion efforts targeting FAC occurred in 2003 or 2004. The phrase, “In the same year…” either applies to the example linked with DND or refers to 2004 when the CSE obtained a MA to assist in investigating the intrusion into DND’s networks. See page 31. ↩︎
- The MAs issued for this time applied to: the CSE, as well as the networks of the Office of the CSE Commissioner, Privy Council Office, and Department of National Defence. ↩︎
- This was desperately needed given the ongoing issues of properly funding and staffing the CERT. ↩︎
- Several years ago I recommended that the government adopt a VDP at committee. See: “Practical Steps To Advance Cybersecurity in Canada’s Financial Sector“, paragraphs 17-21. ↩︎
- No operations were undertaken at this time because “normal cyber defence activities successfully mitigated the threat and obviated the need for a separate operation” (96). ↩︎
- No operations were undertaken at this time because “planned operations had not proceeded to the operational stage” (96). ↩︎
- The specific date is not provided though the report acknowledges that the CSE detected a state operator attempting to compromise the network of a Canadian company in 2019. ↩︎
- Given recent public acknowledgement that the CSE has conducted cyber operations,t is possible that these conditions were deemed satisfied and, thus, may have authorized the CSE to conduct defensive cyber operations targeting a criminal organization’s infrastructure, as reported in December 2020. ↩︎