The Communications Security Establishment (CSE) released its 2021-2022 Annual report on June 28, 2022.1 The CSE is Canada’s leading foreign signals intelligence and cryptologic agency. It is specifically tasked with collecting foreign intelligence, defending government of Canada networks as well as private networks and systems deemed of importance by the government, providing assistance to federal partners, and conducting active and defensive cyber operations.2 The CSE operates as a Canadian equivalent to the United Kingdom’s GCHQ.
Five things stood out to me in the annual report:
- It provides more details about the kinds of active and defensive cyber operations that the CSE has undertaken while also clarifying when such operations might take place. This information is important given the potentially deleterious or unintended impacts of the CSE exercising these capabilities. It is, however, worth recognizing that the CSE is casting these activities as preventative in nature and does not include a legal discussion about these kinds of operations.
- The report extensively discusses threats to critical infrastructure and the activities that the CSE is undertaking to defend against, mitigate, or remediate such threats. Many of the currently voluntary engagements between the CSE and industry partners could become compulsory (or, at a minimum, less voluntary), in the future, should Canada’s recently tabled infrastructure security legislation be passed into law.
- We generally see a significant focus on the defensive side of the CSE’s activities, vis-a-vis the Cyber Centre. This obscures the fact that the majority of the agency’s budget is allocated towards supporting the CSE’s foreign intelligence and active/defensive cyber operations teams. The report, thus, is selectively revelatory.
- No real discussion takes place to make clear to readers how aspects of the CSE’s foreign intelligence, cybersecurity/information assurance, assistance, or active or defensive cyber operations authorities may interoperate with one another. The result is that readers are left uncertain about how combinations of authorities might enable broader operations than are otherwise self-apparent.
- As I raise at several points when analyzing the annual report there are a number of situations where information in the annual report risks concealing the broader range(s) of actions that the CSE may undertake. Readers of the annual report are thus advised to critically assess the annual report and read what it specifically says instead of what it may imply.
In this post, I proceed in the order of the report and adopt the headlines it used to structure content. After summarizing some of the highlight elements in a given section I proceed with a short discussion of the relevant section. The post concludes with a broader assessment of the annual report, what was learned, and where more information is desirable in the future.
Minister Anand notes that some global powers are behaving in “irresponsible ways”. This continues the Canadian government’s practice of calling out behaviours it, and often its allies, believe violate the 11 non-binding norms of responsible state behaviour in cyberspace. 3 Canada’s actions, by way of contrast, are perceived or cast as responsible on the basis that they adhere to the aforementioned norms and how Canada understands international law to apply to cyberspace.
The Minister also makes clear that investments in the 2022 federal budget are meant, in part, to enhance the CSE’s ability to conduct cyber operations. These operations are meant to “prevent and defend against cyber attacks”(5). The budget made clear that $263 million of the allocated $875 million, or 30%, was going to cyber operations to prevent and defend against cyber attacks. These budget allocations were divided across the coming five years.
Analysis of Minister’s Forward
While the Minister asserts that cyber operations are intended to “prevent and defend” these words have a somewhat unusual meaning insofar as ‘protection’ extends to both active/offensive and defensive cyber operations.4 Specifically, undertaking an operation against a foreign target, prior to that target launching an operation which might affect Canadians or Canadian interests, can constitute prevention. Active cyber operations can, also, be used to advance either national objectives or national interests. In both of these cases much more may be involved than merely preventing or defending against foreign operations. As such, the budget allocated to cyber operations should be understood as enabling both active (i.e., offensive) as well as defensive cyber operations and not merely providing resources for defensive cyber operations.
Russia’s Invasion of Ukraine
The recently passed budget allocated $180.3 million over five years to prevent and respond to cyber attacks on critical infrastructure. Some of this will involve the CSE continuing to track threats in Canada and around the world. Unsurprisingly, then, the annual report notes that the CSE is doing just this (10)5 and, moreover, is sharing information with Canadian critical infrastructure partners. The current thread feed includes:
- indicators of compromise;
- threat mitigation advice; and
- confidential alerts about new forms of malware, as well as tactics being used to target victims (10).
The CSE assisted in repatriating Canadian consular staff at the outset of the war between Ukraine and Russia, and has ” included intelligence sharing and cyber security support” to the Canadian Armed Forces (CAF) mission in support of Ukraine (10).
Analysis of Russia’s Invasion of Ukraine
First, we can turn to the issue of protecting critical infrastructure in the context of the Russian war on Ukraine. The activities that the CSE has undertaken are to be expected. The Canadian government, along with its allies, have warned critical infrastructure providers and private businesses to prepare for Russian operators to potentially target Western services and infrastructure.6 The annual report reiterates the kinds of work that have been ongoing and adheres to public commentary from elected and non-elected officials alike.
While this section of the report focuses on protecting critical infrastructure through the lens of Russia’s invasion of Ukraine, the Canadian Centre for Cyber Security’s “National Cyber Threat Assessment 2020” (NCTA 2020) recognized that cyber threat actors writ large “may target critical Canadian organizations to collect information, pre-position for potential future activities, or as a form of intimidation” but that it was “very unlikely that cyber threat actors will intentionally seek to disrupt Canadian critical infrastructure and cause major damage or loss of life in the absence of international hostilities” (21 of NCTA 2020, emphasis added). The current conflict in Ukraine arguably constitutes a major international conflict that Canada, and our allies, are taking an active role in trying to influence the outcome. Though perhaps outside of scope, the annual report does not clarify the extent to which the 2020 judgement still holds.
Second, it is unsurprising that the CSE has assisted the CAF in its Ukrainian operations. The CSE and CAF have a longstanding relationship, with the CSE having provided assistance in prior conflict situations. As phrased, it may be that the CSE’s foreign intelligence and cybersecurity aspects of its mandate have been activated to share information, as opposed to the CSE providing assistance to the CAF by way of operating under the CAF’s own mandates.7 However, the use of “included” is suggestive that either other aspects of the CSE’s mandate may have been operationalized (e.g., active or defensive cyber operations), up to and including the CSE potentially providing assistance to the CAF under the CAF’s own authorities. As written, the annual report retains a degree of ambiguity with the effect that Canadians cannot know what, precisely, the CSE has done to support the CAF and its Ukrainian mission. Indeed, when the annual report later discusses how the CSE undertook active and defensive cyber operations we find that active cyber operations were undertaken to “assist the Canadian Armed Forces in support of their mission”, though without explaining which specific operations were implicated in the assistance. What appears as a case of transparency, then, may simultaneously be concealing other operations in which the CSE has been involved.
Foreign Signals Intelligence
The annual report highlights a number of the foreign-based threats that were addressed by the CSE. Some threats were associated with cybercrime, kidnappings of Canadians abroad, and terrorism and extremism (including Ideologically Motivated Violent Extremism). Other threats included the activities of hostile states, such as cyber threats; espionage directed against Canada, inclusive of economic espionage; foreign interference and disinformation campaigns; and threats to Canadians and Canadian forces abroad.
The CSE also provided technical and operational assistance to a number of agencies, including the Royal Canadian Mounted Police, Canadian Security Intelligence Service, Canadian Border Services Agency, and the CAF/Department of National Defence. When working with foreign partners, again as it pertains to foreign signals intelligence, the CSE worked to promote and respect “norms of responsible behaviour in cyberspace” (12).
As part of its monitoring of threats to Canada, the CSE also “had cyber operations authorities in place to disrupt malicious cyber activity aimed at Elections Canada infrastructure, if needed” (12). Political parties also received some cyber security support.
Analysis of Foreign Signals Intelligence
First, and perhaps pedantically, it is worth recognizing that the CSE has cast its activities as being classified as foreign signals intelligence (SIGINT). However, s. 17 of the CSE Act defines the foreign intelligence aspect of the CSE’s mandate thusly:
“The foreign intelligence aspect of the Establishment’s mandate is to acquire, covertly or otherwise, information from or through the global information infrastructure, including by engaging or interacting with foreign entities located outside Canada or by using any other method of acquiring information, and to use, analyse and disseminate the information for the purpose of providing foreign intelligence, in accordance with the Government of Canada’s intelligence priorities.”
It’s possible that the annual report is casting SIGINT as a superset of Communications Intelligence (COMINT) as well as Electronic Intelligence (ELINT) and, presumably, Foreign Instrumentation Signature Intelligence (FISINT), and other modes of intelligence collection that fit under Foreign Intelligence collections writ large. However, in using a more colloquial but not legislatively defined term it is possible that some information is being suppressed or excluded from the description provided in the annual report. Given how carefully reports of this nature in Canada tend to be prepared, then, it isn’t apparent to a reader what is being transparently exposed versus what is being kept in the shadows versus what is being presented in a more publicly accessible manner.
Second, while it is positive to see the CSE outline a number of specific threats targeted by its foreign intelligence activities, the provided list does not comprehensively account for the CSE’s foreign intelligence targets. The government of Canada prepares a bi-annual list of intelligence priorities. Since 2018, this has been performed by the Cabinet Committee on Canada in the World and Public Security.8 Individual departments and agencies take the finished priorities and then adjust them to their own mandates. While some of the CSE’s collection targets are certainly linked to the threat-related intelligence discussed in the annual report the agency will, also, presumably include economic, defence, diplomatic and political, industrial, and potentially even environmental or health intelligence collection depending on the priorities of the government of the day.
Third, I have previously raised concerns about how the CSE has begun to target criminal infrastructures to ‘impose costs’ on operators. Specifically:
… even in the debates surrounding the new powers that the CSE is now using, there was little time spent on how the CSE would target criminal infrastructure. Members of Parliament and the public were not involved in a meaningful discussion about when the CSE would become a de facto cybersheriff, let alone the CSE taking it upon itself to punish criminals abroad. That’s not good because it means that MPs cannot really see themselves as having created or passed a law that has led to the CSE’s recent crime-fighting activities, with the broader effect of calling into question the legitimacy (if not the lawfulness) of the CSE’s activities.
The annual report does little to justify the CSE’s activities. However, in an interview with Global News the Associate Chief of CSE, Dan Rogers, stated:
“It kind of goes without saying that we work closely with the RCMP, with (the Canadian Security Intelligence Service), with Public Safety, but not just with them … Within our Five Eyes context and even broader international contest, we have to make sure that we’re (not conflicting with) law enforcement, that we’re not interfering with the investigation and that we’re taking actions that are the most reasonable actions to be taken.”
Rogers’ comments make clear there is some degree of deconfliction that takes place between the CSE and other domestic and international partners. However, this activity is not necessarily required under the CSE Act. As I have written elsewhere, “the CSE’s crime-fighting activities can occur after being condoned by at least a pair of ministers and their staff, and on the basis that they do not believe that the reduction in criminal behaviours could be reasonably achieved by other means (CSE Act, 34(3)). Neither the courts nor Public Safety Canada are necessarily involved in the decision.” The result is that the CSE’s current policy position is flexible and, thus, can be reformed should it place undue limitations on the agency or could even be eliminated entirely. I remain troubled that these kinds of critical policy decisions are not being debated publicly, let alone encoded in legislation.
Fourth, some readers might have been a bit surprised to see that the CSE has been involved in helping to address kidnapping cases abroad. The CSE has, however, long been involved in international kidnapping situations. CSE’s 2010-11 classified annual report stated:
With a focus on the protection of Canadians at home and abroad, targets representing a ‘threat to life’ are, in fact, the single highest priority associated with SIGINT analytic activity and targeting. In 2010-2011, CSEC identified and intercepted communications of various groups and individuals involved in threats against Canadian and allied interests, particularly in relation to [redacted] high-profile kidnappings.9
Moreover, in 2012 the CSE was developing techniques intended to be of assistance in kidnapping situations. We do not, however, know how commonly such techniques are used, the efficacy, or the outcomes of applying these techniques. These techniques require vast collections of personal information to operate, often represented in metadata. Furthermore, while these techniques can be used for kidnapping cases they could also be used for targeted surveillance of foreign persons who are of interest to the CSE or its partners.
Fifth, while the CSE is focused on monitoring extremist materials online, including IMVE, we somewhat surprisingly saw no explicit reference to the CSE in a recently released Parliamentary Committee report on the same topic, nor did anyone from the Department of Defence or Communications Security Establishment appear as a witness. The Standing Committee on Public Safety and National Security’s report, “Report 6: Rise of Ideologically Motivated Violent Extremism in Canada,” makes references to modernizing authorities along a “human rights-based approach” in the course of adequately funding and modernizing the authorities of Canada’s security intelligence community (Recommendation 8) as well as to guide the adoption of models which are used in the United Kingdom and Australia (Recommendation 9). The same report recommended that the “RCMP, national security agencies and the Public Prosecution Service of Canada have adequate resources to investigate and prosecute offences against Canada’s critical infrastructure and personnel, and ensure Canada’s anti-terrorism laws are applied equally” (Recommendation 25). The Committee called on the government to “invest in the development of Canada’s cyber infrastructure, specifically to better identify and remove automated bots used to amplify extremist content accessible to Canadians online” (Recommendation 33). Consultations were also recommended with “affected communities and law enforcement agencies to identify gaps in existing law and law enforcement regarding harmful online content” (Recommendation 32).
It is not hard to imagine the CSE having roles to play, or being implicated in, each of these recommendations should they be adopted by the government, though with the proviso that the CSE is prohibited from directing its activities at Canadians or any person in Canada except when operating under the assistance element of its mandate. For example, where designated hate organizations attempt to incite IMVE the CSE may be tasked with either independently ‘imposing costs’ on such organizations when they are designated as foreign or with assisting other governmental organizations which are trying to address cyber-enabled or cyber-facilitated IMVE activities.
While the term ‘prosecute’ in recommendation 25 is principally linked to the criminal justice system it could, also, refer to the CSE assisting other federal agencies. Moreover, it could include the CSE working independently to continue with its own operations which are directed towards addressing foreign harms against Canada’s critical infrastructure. This could include targeting foreign personnel which might be directed, or led, by foreign individuals adhering to IMVE beliefs.
Further, with the new powers that are introduced in Bill C-26 (An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts) the CSE will be tasked with receiving security-related information from telecommunications service providers and critical infrastructure providers, as well as providing guidance and support to these providers. In addition, a 2022 CRTC decision recognizes the CSE’s potential role in combatting online bots. Together this suggests that the CSE might have a role to play in addressing bots (Recommendation 33) by providing advice, generally, or even obtaining non-personal information to track threats and provide mitigation advice. And, under Recommendation 32, the CSE could potentially be tasked under the assistance element of its mandate to either support law enforcement agencies under the assistance element of the CSE’s mandate to address harmful online content (Recommendation 32). In aggregate, then, we might expect to see the CSE and its Cyber Centre more deeply involved in IMVE issues in coming years and in excess of the small aside in its 2021-2022 annual report.
Lastly, when we turn to the protection of Canada’s electoral system it is perhaps surprising to see that the focus was on Elections Canada infrastructure and providing cybersecurity services or advice to parties. The annual report does not suggest that the CSE was involved in identifying or working to prevent influence operations. To some extent this is likely the result of CSIS having largely been tasked with leading these kinds of operations. CSIS could, if necessary, call upon the CSE to help with intelligence collection or even active cyber operations. Moreover, any of the CSE’s foreign intelligence operations around electoral interference could only be targeted towards non-Canadian foreign parties; where election interference, then, is undertaken by Canadians or within Canada the CSE may be limited in what it can collect. However, given that the former Conservative Party leader has claimed that foreign influence operations played a role in several ridings during the 2021 federal election, it is reasonable to ask what role the CSE does, could, or should play in monitoring or addressing such operations. More information from the government is needed here, if only to further clarify the division of responsibilities between the CSE, CSIS, RCMP, and Elections Canada and how these agencies register and respond to foreign influence operations inside, and outside, of electoral periods.
Foreign Cyber Operations
The CSE can undertake active and defensive cyber operations under the CSE Act. The agency casts these operations as helping to “protect Canada and Canadians.” The annual report parallels NSIRA reports which disclose the number of Ministerial Authorizations which are issued in a given year.10 The CSE reports that 2 were issued pertaining to active operations and 1 for defensive operations. Helpfully, readers of the annual report will see that, “multiple foreign operations may be conducted under a single Authorization” while, at the same time, “there are also cases where an Authorization may be anticipatory, with no operations required in the end” (13). There is an insufficient understanding of how these authorizations function and so it’s important to raise awareness about them.
Readers also learn more about the kinds of operations that have been authorized under these sections of the CSE’s mandate. Authorizations have been provided since 2019 and, thus, the range of activities listed are likely associated with the past 3 years of activities. Operations have included disrupting attempts to recruit, operate online, or disseminate violent extremist material, as well as countering cybercrime. These cybercrime efforts have included working with allies to “reduce the ability of cybercriminals to launch ransomware attacks and to profit from the sale of stolen information” (14).
While the CSE had defensive cyber authorization authorities that could have been used to deter or respond to malicious activity that targeted Elections Canada infrastructure they do not appear to have been exercised. (“Had there been malicious cyber activity targeting the election process, CSE would have been ready to act on it right away” (14).)
Finally, and without details, the CSE “has also used its active cyber operations capabilities to assist the Canadian Armed Forces in support of their mission” (14). No more information is provided.
Analysis of Foreign Cyber Operations
First, it’s worth noting that there were more Ministerial Authorizations for active cyber operations than in previous years, when only a single authorization was issued.11 There is no context provided to explain why an additional authorization was needed and issued.
Second, when we turn to the kinds of disruption activities that the CSE might be involved in, it is worth asking what must be met prior to an operation being conducted. How, as an example, how does the government weigh and assess the divide between lawful but awful speech that is affected, versus outright unlawful speech or activities? Further, there are persistent questions of the extent(s) to which operations or activities which are permitted under different aspects of the CSE’s mandate might overlap. Should CSIS, as an example, rely on the CSE’s assistance mandate to disrupt foreign extremists who pose a threat to Canada’s national security then the CSE would be operating under CSIS’ own authorities and, as such, operations might not even be captured under active or defensive cyber operations. Thus, the number of active or defensive cyber operations authorizations may do little to reveal whether, and the extent to which and with whom, the CSE exercises its capabilities.
Third, cybercrime is explicitly identified as being ‘countered’ using active or defensive cyber operations. Without belabouring the point, I have ongoing questions concerning how the CSE deconflicts and interoperates with Public Safety Canada and the Department of Justice, as well as international partners. Further, the existing policies are malleable and subject to change based on executive decisions, with the effect that the current inclusionary processes are always subject to revision. It is possible that the government’s ransomware policy, which was indicated in a report from the National Security and Intelligence Committee of Parliamentarians (NSICOP) on “The Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack,” will provide at least some clarity on this point.
Fourth, while the CSE may not have exercised its defensive cyber operations authorization to combat electoral interference this should not suggest that the CSE has not exercised its defensive cyber authorizations. Put another way, while it may not have had to combat electoral interference under its defensive cyber operations authorization there is no reason the CSE has not conducted any number of defensive cyber operations to address other threats. Moreover, it is possible that the CSE could have undertaken active cyber operations to proactively prevent electoral interference.
Fifth, while a reader might infer that assistance to the CAF pertains mostly to extracting Canadians from Afghanistan or working in support of the CAF’s Ukrainian operations, there is no reason to delimit the potential assistance in this way. The CAF has, to date, declined to disclose its cyber doctrine with the effect that Canadians cannot understand how CAF operates in cyberspace, the conditions under which it would undertake cyber activities, nor the domains wherein it might seek assistance from CSE. The result is that Canadians cannot understand when the CSE might provide assistance to CAF while working under its own mandate as opposed to when the CSE might operate under the CAF’s own mandate. Consequently, we can say that something that is missing from the annual report is an explanation of how the CSE’s active and defensive cyber operations authorizations intersect with its mandate to assist other government organizations: to what extent does the CSE providing assistance using active cyber operations constitute the CSE acting under its own legislation and mandate, versus under the assistance aspect of its mandate and thus under CAF restrictions, or even some combination of the two?
Sixth, there is no real explanation of what a cyber operation itself entails. While many readers might expect that active cyber operations cause a ‘boom’ of some type, I think that Kim Zetter’s explanation is likely amongst the most helpful in explaining cyber operations. She has written that while some “offensive cyber operations “may include actions that rise to the level of use of force” as it’s defined under international law” others could entail changing a username and password, or server configuration information, or otherwise modifying systems to have variably overt effects. Moreover, in reading the kinds of activities which Global Affairs Canada believes could be responsibly undertaken, such as wiping the operating systems of computers, we see yet another set of possible activities that could be used in any given active or defensive cyber operation. While it is helpful to broadly understand the areas in which cyber operations might be applied, such as in support of the CAF or to counter cyber criminals, it would also be helpful to see the CSE make clear the kinds of activities which are considered appropriate or responsible expressions of cyber power.
Finally, and relating to the last point, there is no discussion of the lawful basis under which the CSE can undertake its active and defensive cyber operations. Global Affairs Canada has published how it interprets international law’s application to cyber. It would be good to see the CSE itself point to this as binding some of its actions while also using it to illuminate the kinds of activities it might undertake when conducting active or defensive cyber operations. This is particularly important given that NSIRA’s 2020 Annual Report found that “CSE was unable to provide an assessment of its obligations under international law regarding the conduct of active cyber operations” (para 52).
The CSE is tasked with keeping some of Canada’s sensitive information secure. As part of this, it piloted kits which enabled clients to access Canada’s Top Secret Network (CTSN) when they were in the field. Ideally, future reporting will indicate how successful the pilot has been and the ultimate results stemming from it.
As Canada’s cryptologic authority, the CSE has also been involved in supplying cryptographic tools, adopting new cryptographic procedures, advising on the use of cryptography and new techniques, and adopted homomorphic encryption, while also certifying products against Common Criteria and the Cryptographic Module Validation Program. The CSE has also participated in international standards bodies.
Analysis of Communications Security
First, homomorphic encryption is used to process, and analyze, encrypted information without having to decrypt it. The annual report does not explain the specific contexts in which this mode of encryption is being used, nor whether the CSE is using partially, somewhat, or fully homomorphic encryption. As described by Keyfactor:
Partially homomorphic encryption algorithms allow a certain operation to be performed an infinite number of times. For example, a particular algorithm may be additively homomorphic, meaning that adding two ciphertexts together produces the same result as encrypting the sum of the two plaintexts.
A somewhat homomorphic encryption algorithm allows a finite number of any operation rather than an infinite number of a particular operation. For example, a somewhat homomorphic encryption algorithm may be able to support any combination of up to five additions or multiplications. However, a sixth operation of either type would create an invalid result.
A fully homomorphic encryption algorithm allows an infinite number of additions or multiplications of ciphertexts while still producing a valid result.
Why are more details important? In part, because they can clarify just what the CSE is even referring to–there is significant variation in the extensiveness of operations that different iterations of homomorphic encryption can be used for–and, also, which agencies might specifically benefit from the use of such encryption in excess of the CSE and its own collected information.
Second, there should be open and ongoing questions about which international standards bodies the CSE has been participating in and a careful eye on what they are advancing in those bodies. While it does operate as Canada’s premier cryptologic agency, the CSE has previously either worked with, or been tricked by, allies to undermine the security provided by some random number generators that are associated with cryptologic processes.
Cybersecurity: Federal Institutions
The Cyber Centre has rapidly become a core element of Canada’s federal and cross-national cybersecurity apparatus. The CSE has deployed cloud-, network-, and host-based sensors across federal agencies systems and networks, and also received some technical data from the security logs of critical infrastructure partners, including from territorial and provincial governments. As of March 2022, 70 federal institutions deployed cloud-based sensors and 79 had deployed host-based sensors to over 730,000 hosts.
A wide range of incidents were tracked, including those associated with reconnaissance activities, phishing incidents, unauthorized access to IT environments, imminent ransomware attacks, and zero-day exploits (19). The CSE logged a total of 2,023 cases, with 1,154 associated with federal institutions and 869 to critical infrastructure.
Analysis of Cybersecurity: Federal Institutions
First, the Government of Canada is moving towards (or has arrived at) a situation where sensors are a key component of its cyber defence capabilities and it has plans for them to be more widely deployed over time. As discussed in a 2022 report from the National Security and Intelligence Committee of Parliamentarians (NSICOP), host-, network-, and cloud-based sensors all operate under Ministerial Authorizations because the information they collect “may relate to a Canadian or to a person in Canada for which there is a reasonable expectation of privacy” (para 200). Ideally the CSE would spend more time explaining some of the personal information that can be collected using these sensors and what it does to safeguard or discard unnecessary personal information. This would include at least some discussion of the intersection between Ministerial authorizations used to permit the deployment of sensors and the federal Privacy Act (when running on government systems) as well as the Personal Information Protection and Electronic Documents Act (PIPEDA) when deployed to protect private systems.
Second, when we shift to assessing the kinds of incidents that the CSE is managing it appears that there are a wide range of activities included. It is unclear from the annual report what the actual severity of the incidents have been. How many incidents were largely prevented versus how many had to be responded to because a threat actor was successful in their activities? And, where an actor was successful, what was the general effect and how able was the Cyber Centre/CSE to expel the actor? To demonstrate this isn’t some idle speculation, it’s worth recalling that Global Affairs Canada suffered a serious cyber incident during the fiscal year covered by the annual report, but no mention is made to this seemingly serious breach of the government of Canada’s cybersecurity. Given the large amounts of money, and increasing responsibilities, that are being poured into the CSE it is imperative that Canadians are informed about the efficacy of the agency’s activities when it is attempting to defend against, or repulse, threat actors.
Third, in the case of defending against ‘imminent’ ransomware attacks it is possible that the imminence of these incidents was made apparent as a result of either the CSE’s FORINT capabilities or alerts from our allies. Preparing for an incoming attack is a good thing and could be used as a case to reveal how different aspects of the CSE’s mandate can be used to inform one another. Making this linkage clear is important so as to clarify to readers the complexity of the CSE’s operations and how they stretch across aspects of its mandate. Moreover, making these links more apparent may help to clarify not just how the CSE works internally but, also, how it can extend multiple elements of its mandate simultaneously in assisting domestic agencies or when working with foreign partners.
Cybersecurity: Critical Infrastructure
The Cyber Centre spent “much” of its focus across 2021-2022 “deepening and extending” relationships with critical infrastructure providers. This included engaging approximately 1,000 critical infrastructure providers, including those in: academia, Crown corporations, democratic institutions, energy, finance, health, information and communications technology, provinces/territories/municipalities, small and medium sized organizations, and transportation.
Given the previously noted threats to critical infrastructure that were raised by the Cyber Centre in its 2020 threat assessment, combined with the outbreak of ransomware operations that targeted Canadians and Canadian organizations and the Cyber Centre finding its footing, it should be expected that the Cyber Centre would conduct outreach with critical infrastructure providers. Indeed, following a serious ransomware operation that targeted Newfoundland and Labrador’s healthcare system the CSE deployed a team for three weeks to provide on-site support, along with other support and guidance (22). Efforts have also been made to develop and provide free cyber security services, including an automated threat intelligence feed that shared 46,965 indicators of compromise over 2021-2022 (24).
To protect energy infrastructure, some private organizations can “share their network data with the Cyber Centre for analysis, which gives the Cyber Centre a more accurate picture of the threats affecting the natural gas sector” (25). This parallels the prior model that the Cyber Centre established with Ontario’s Independent Energy System Operator (IESO).
In addition to also working to protect some healthcare systems, such as by working with the Canadian Internet Registration Authority (CIRA) to offer DNS firewall services to hospitals, health authorities and bio-pharmaceutical manufacturers (25), as well as protecting democratic institutions, the CSE worked with telecommunications and financial sector partners to prevent phishing. This prevention work entailed partners sharing “suspected malicious websites with each other” where each “partner can vet and use the information according to their own mandate” (26). In September 2021, the Cyber Centre launched a sharing hub that enabled the automated vetting and documenting of cyber threats, with the effect of partners being able to more quickly mitigate threats associated with phishing.
The annual report also makes clear that though 61% of surveyed businesses suffered a cyber security incident only 26% of them reported the incident to law enforcement (27). 85% of SMEs were unaware the government offered cyber security supports and 52% didn’t know where to report a cybercrime. While a portal exists for government departments, critical infrastructure providers, and IT practitioners to report incidents to the Cyber Centre, all SMEs are directed to “the right partner for different incident types”, such as the RCMP or local police, or the Spam Reporting Centre (27).
Analysis of Cybersecurity: Critical Infrastructure
First, the Cyber Centre, and CSE more broadly, is working to protect critical infrastructure and is responsive to emerging threats, such as ransomware attacks on healthcare facilities. This is a good thing! A degree of nimbleness is needed so long as the Cyber Centre is operating as a kind of first responder to serious incidents. However, I do have to wonder just how many incidents the Cyber Centre can simultaneously respond to; if several healthcare systems across Canada are affected similar to Newfoundland’s healthcare system, along with other critical infrastructure sectors (e.g., major telecommunications outages), how well will the Cyber Centre be positioned to provide assistance? It would be helpful to see the Cyber Centre address this, perhaps in their own dedicated report. At the same time, I hope that we see provincial governments begin to stand up their own quick-response units to assist the critical infrastructure providers and small and medium sized enterprises under their ambit.
Second, the Cyber Centre’s efforts to create automated platforms that collect, vet, and share information can potentially be very helpful and stand in juxtaposition towards non-platform sharing, such as text- or pdf-based alerts. By the same measure, however, it is important that other parties assess the indicators of compromise and other signalling information to determine the quality of the shared information and catch any false positives. Moreover, it will be worth watching how these sharing systems evolve over time in light of legislation which was introduced in the summer of 2022 which could be used to compel more information sharing between the Cyber Centre and critical infrastructure providers. The models being built with the energy sector, as an example, might be something that providers are encouraged to adopt or compelled by government order to adopt if they refuse to voluntarily accept them.
Third, things look downright bad when turning to small and medium sized enterprises. There is typically a multi-million dollar cost that has to be incurred before local law enforcement or the RCMP will investigate any given case, and an investigation does not mean that charges will be filed or restitution for losses obtained. The government is beta testing a new National Cybercrime and Fraud Reporting System (NCFRS), which currently accepts up to 25 reports per day, so at least some kind of statistical information will be available in coming years. Still, even when businesses do report a crime using the NCFRS the losses they incur may put them out of business. Small and medium sized enterprises, functionally, are on their own and should not expect the federal government to ride to assist them should they suffer some kind of an intrusion or security incident. Woe to these smaller businesses and individual Canadians alike.
Building Canada’s Digital Resilience
I don’t really have a great deal to say about this section of the report. However, the CSE has followed its American cousins to promote Cyber Security Awareness Month (CSAM). While I think that the initiative is to be praised it probably needs to be rebranded on the basis that it shares an acronym with Child Sexual Abuse Materials.12
The annual report provides information about work being undertaken by the Tutte Institute, on quantum systems, as well as about collaborative events with partners and on its various cyber security tools.
The Tutte Institute is “a government research institute focused on fundamental mathematics and computer science” which was founded in 2011 and conducts research in the areas of cryptography and data science. The annual report discloses research that might be applicable to the Cyber Centre’s defensive missions, including detecting fake social media accounts using machine learning, reducing false positives in malware detection, processing encrypted data without decrypting (homomorphic encryption), and speeding up SPAM and phishing detection as well as separating malicious network traffic activity from weird but benign traffic using artificial intelligence.
The Cyber Centre and Tutte Institute are working together to study “new cryptographic techniques and the mathematics they are based on to find quantum-resistant solutions”, and the Cyber Centre is also assessing NIST’s quantum-resistant cryptography.
The Cyber Centre hosts multiple annual events. One of them, BigDig, brought together partners from Five-Eyes countries, industry partners, and participants from the Government of Canada to “tackle high-priority cyber security challenges” (37). Three of the problems tackled were, arguably, largely ‘cyber security’ related and pertained to incident detection, malware analysis, and securing the Internet of Things (IoT). The fourth topic area where advances were made were around defensive cyber operations capabilities.
Finally, a number of tools which were improved upon are listed. These include Observation Deck (a web application that lets users view data from host-based sensors on their IT infrastructure to make decisions about cybersecurity), ASTRA (a threat risk assessment tool that helps departments assess the levels of cyber risk to their IT assets), and Tracker (an interactive platform that lets users “check the security configuration of their public facing websites and email services … for departments to check their compliance with both [Treasury Board Secretariat] and Cyber Centre Guidance)” (39).
Analysis of Innovation
First, it’s worth noting that many defensive research innovations can have associated benefits for the foreign intelligence or active and defensive cyber operations aspects of the CSE’s mission. Determining what constitutes ‘weird but benign’ network traffic, as an example, can be useful when developing probes to enter foreign networks such that they appear as benign instead of as efforts to intrude into a network.
Second, while BigDig is the only classified event recounted in the annual report, the CSE participates in numerous other classified events with its Five Eyes partners. None of these other events are discussed. As such, Canadians do not learn about how the CSE worked to develop techniques to expand its presence in international networks, better derive intelligence from information that it and its allies have collected, build tools to enter into devices and systems, or to secretly exfiltrate information. Again, only a very small element of CSE’s innovations are being raised or disclosed in its annual report; while not surprising, it’s important to keep in mind while reading its contents.
Third, and related, is that BigDig did see the CSE and its partners make advances on “defensive cyber operations capabilities” (37). It’s possible that this term is being used expansively–and thus includes activities undertaken under the CSE’s mandate to secure government of Canada systems and systems that have been deemed as of importance by the government–but it could, also, suggest that defensive cyber operations capabilities themselves were developed. If the latter is true, then this is a small but notable (if obvious) disclosure from the CSE that it works with its partners to develop the capabilities that bring to life its defensive cyber operations authorities.
Fourth, while a set of tools are discussed a much larger set of tools were not discussed. There is nothing explaining how tools relied upon by the foreign intelligence side of CSE, as an example, were improved upon. This absence is explained by those tools being classified but, simultaneously, it is just worth noting that the bulk of the CSE’s tooling innovations cannot and will not be disclosed in a public annual report.
In discussing its accountability, the CSE included links to outward facing communications (e.g., public reports, responses to ATIPs, interviews, etc) and also provided top-level bullets for how it strives to ensure that employees are aware of their legal and policy obligations. The CSE also provided a summary of how it interoperates with its oversight body, the Intelligence Commissioner, as well as the Ministerial Authorizations that have been submitted pertaining to Foreign Intelligence and Cybersecurity operations. The Intelligence Commissioner must approve these prior to the CSE undertaking operations associated with them. As was disclosed by the Intelligence Commissioner earlier this year, there were 3 Foreign Intelligence Authorizations and 2 Cybersecurity Authorizations submitted. All were approved, save for one partially approved Foreign Intelligence authorization.
The CSE is also subject to external review by NSICOP and NSIRA. During its fiscal year,13 the CSE contributed to 14 reviews, of which 4 were initiated during the fiscal year and 10 were ongoing. 12 of these were undertaken by NSIRA and 2 by NSICOP. Activities taken to support review were listed, including “thousands of hours” to support review, responding to 200 questions from NSICOP and NSIRA, providing access to thousands of documents and records, holding 20 briefings, meetings, or interviews with reviewers, providing office space and building access to NSIRA for their research, and proactively sharing information about Ministerial Authorizations and Orders with NSIRA (41).
The annual report also includes a discussion about a review NSIRA conducted, and which found areas for improvement by the CSE. Specifically, in assessing the CSE’s disclosure of Canadian Identifying Information, I previously summarized that NSIRA found:
- CSE had potentially violated the Privacy Act, which governs how federal government institutions handle personal information.
- CSE handled information it collected under warrant for the Canadian Security Intelligence Service (CSIS) in excess of the warrant requirements. Specifically, the Federal Court and CSIS believed that collected information would be tightly controlled and restricted, but the CSE handled the information with fewer restrictions than either the Court or CSIS anticipated.
- CSE officials may have misled Parliament in explaining how the assistance element of its mandate was operationalized in the course of debates meant to extend CSE’s capabilities and mandate.
CSE’s annual report makes clear that it has implemented 10 of 11 recommendations, and has launched a privacy impact assessment (the 11th recommendation) and intends to have completed the assessment by 2022. Notably, “following consultations with government partners, CSE is satisfied that all but one of those [2,351] disclosures [of Canadian identifying information] were compliant. The single disclosure that was not compliant with the Privacy Act has been retracted and the data that was disclosed has been purged by the receiving institution” (42).
Analysis of Accountability
First, it’s worth discussing the nature of the ‘partially reasonable’ foreign intelligence authorization that the CSE received. While I wouldn’t necessarily expect the CSE to include a detailed explanation of how such a conclusion can be reached it may be useful to understand so as to assess future partial authorizations, and especially given that, on its face, it isn’t necessarily apparent how the CSE Act or Intelligence Commissioner Act authorizes the Intelligence Commissioner to come to such a finding. I previously asked for clarification about this from the Intelligence Commissioner in March 2022, and I reproduce their comprehensive and complete response below:
Dear Mr. Parsons:
We acknowledge receipt of your question sent to the Office of the Intelligence Commissioner (ICO) on May 10, 2022, regarding a reference in the ICO Annual Report 2021 where the IC found that the Minister of National Defence’s conclusions were reasonable with respect to one Foreign Intelligence Authorization, with the exception of those relating to a specific activity.
It is important to note that a Foreign Intelligence Authorization may be comprised of more than one activity. Subsection 26(1) of the Communications Security Establishment Act (CSE Act) states that “[t]he Minister may issue a Foreign Intelligence Authorization to the Establishment that authorizes it, despite any other Act of Parliament or of any foreign state, to carry out, on or through the global information infrastructure, any activity specified in the authorization in the furtherance of the foreign intelligence aspect of its mandate.” The French version states “à mener toute activité précisée dans l’autorisation.” [Emphasis added].
Furthermore, subsection 34(1) of the CSE Act indicates that “[t]he Minister may issue an authorizationunder subsection 26(1), 27(1) or (2), 29(1) or 30(1) only if he or she concludes that there are reasonable grounds to believe that any activity that would be authorized by it is reasonable and proportionate, having regard to the nature of the objective to be achieved and the nature of the activities.” The French version indicates “s’il conclut qu’il y a des motifs raisonnables de croire que l’activité en cause est raisonnable et proportionnelle.” [Emphasis added].
Pursuant to paragraph 20(1)(a) of the Intelligence Commissioner Act (IC Act), after conducting a review of a Foreign Intelligence Authorization, the IC, in a written decision, must approve the authorization if satisfied that the conclusions at issue are reasonable, and must set out his or her reasons for doing so. The French version states “s’il est convaincu que les conclusions en cause sont raisonnables.” [Emphasis added]. Paragraph 20(1)(b) of the IC Act covers those situations where the IC is not so satisfied.
In accordance with the above provisions from both the IC Act and the CSE Act, the IC must determine whether the conclusions at issue for each and every activity are reasonable, in the same manner that the Minister of National Defence must determine whether he or she can conclude that each and every activity is reasonable and proportionate.
With respect to the Foreign Intelligence Authorization referenced in the ICO Annual Report 2021, the IC made a determination as to whether the Minister’s conclusions for each and every activity found in that Foreign Intelligence Authorization were reasonable. As stated at page 23 of the ICO Annual Report 2021, the IC found that the Minister’s conclusions were reasonable in the Foreign Intelligence Authorization, with the exception of those relating to a specific activity. In that respect, the IC found that the Minister’s conclusions lacked information on the nature of the activity described and on how such an activity would be reasonable and proportionate. The IC was, thus, of the view that the Minister’s conclusions did not bear the essential elements of reasonableness: justification, transparency, intelligibility and did not establish whether they were justified in relation to the relevant factual and legal contexts. The IC determined that he must not approve the Foreign Intelligence Authorization relating to the one specific activity where he was not satisfied that the conclusions at issue were reasonable. The Foreign Intelligence Authorization was therefore partially approved.
We trust this answers your question and we thank you for your ongoing interest in the work of the ICO.14
It remains entirely unclear what was partially approved other than it pertains to foreign intelligence-related activities.
Second, across the entire report we now have a summary of all of the Ministerial Authorizations that the CSE sought and received throughout 2021.15 These include:
|Type of Ministerial Authorization||Enabling Section of the CSE Act||Number Requested||Number Approved|
|Foreign Intelligence||26(1)||3||2 fully, 1 partially|
|Cybersecurity — federal and non-federal||27(1) and 27(2)||2||2|
|Defensive Cyber Operations||29(1)||1||1|
|Active Cyber Operations||30(1)||2||2|
We can combine the CSE’s 2021 number with those from NSIRA’s last annual report to generate a list of authorizations dating back to 2019.
|Type of Ministerial Authorization||Enabling Section of the CSE Act||2021||2020||2019|
|Foreign Intelligence||26(1)||2 + 1 partial||3||3|
|Cybersecurity — federal and non-federal||27(1) and 27(2)||2||1||2|
|Defensive Cyber Operations||29(1)||1||1||1|
|Active Cyber Operations||30(1)||2||1||1|
Third, the assistance provided to reviewers is cast as significant but, really, is the cost of doing business when there is no functional way for the public or the majority of parliament to interrogate what the CSE is doing. This is particularly the case when it comes to classified foreign intelligence, cyber security and information assurance, and active and defensive cyber operations, as well as any interagency coordination or assistance. Still, it is positive that NSIRA staff have access to space within the CSE to be able to do their jobs. It is perhaps worth recognizing that NSICOP staff do not apparently need, or do not enjoy, the same degree of access to the CSE’s facilities.
Fourth, the CSE’s response to NSIRA’s review of its handling of Canadian identifying information does not address the totality of the issues which were raised in the report. It remains unclear, as an example, as to whether the two government bodies have come to a meeting of minds about how the Privacy Act applies or whether the CSE has simply adopted a position that varies from NSIRA’s. Recommendations will, one would hope, ensure that information collected on behalf of CSIS, and under warrant, is handled appropriately in the future. The CSE’s response in their annual report does not address, in any apparent way, the broader concern that the Chief and senior staff may have misled parliament. It must be noted, though, that these matters might have been discussed in a classified report at another time and kept away from the public.
While this is a long section, I don’t have a great deal to say about it. The CSE is continuing to invest in enabling a remote workforce which, in part, has meant developing a better multi-classification environment. It is also migrating more of its work into the cloud and, in particular, “low-side workloads, services, tools, and applications” (54).
A multi-classification environment may enable the CSE to better and more quickly release materials under ATIP laws at some point. Should Canada ever adopt an automatic-declassification system, similar to that of the United States, then the systems being adopted by the CSE could theoretically help such a system so long as the declassification systems have been built for purpose. I would hope that historians are involved in any discussions on better or worse ways of building these kinds of multi-classification systems with an eye to enabling the release of information in the future.16
That the CSE is adopting more cloud infrastructure will likely be good for some contractors which can provide secure cloud environments, such as Microsoft or Amazon. The advancement of the CSE’s own cloud sensors may help to accelerate this trend and, thus, be something to watch for in coming years.
CSE’s 75th Anniversary and CSE at a Glance
The final two sections of the annual report provide some highlight information about the agency. It provides an account of how it celebrated its 75th anniversary17 and information about the unique challenge coin it created to mark the occasion.18
We see from the ‘at a glance’ information that the CSE’s budget and workforce continue to increase, with there now being 3,199 full-time employees at the agency. This number excludes students, contractors, part-time staff, and personnel who are from allied organizations. Thus, the actual total number is likely at least somewhat higher than the on-the-books number of employees.
My colleague Bill Robinson has stated that the CSE’s annual reports are starting to become respectable and useful documents. I agree, though on the condition that what is being publicly revealed constitutes a minority of the activities undertaken by the CSE and, also, on the basis that decoding the annual report requires relatively extensive knowledge of surrounding reports, parliamentary activities, speeches, government policies, and the activities of domestic and foreign intelligence agencies to contextualize the annual report. Nonetheless, the annual report does provide useful breadcrumbs of information for readers while, at the same time, describing some of the CSE’s activities in its own words.
The annual report does little to truly educate the public on what the CSE actually does with the majority of its time and efforts. While positive that there is some minor discussion of its foreign intelligence and active/defensive cyber operations activities it would be good to see more. What, as an example, are the government of Canada’s core intelligence priorities? How does the CSE work to specifically demonstrate responsible conduct when conducting its foreign intelligence operations? In what ways does its foreign intelligence or active/defensive cyber operations activities overlap with the CSE’s mandate to assist other federal agencies?
Some will certainly scoff at the idea that that aforementioned information could be disclosed. However, I think that it’s important for such information to be disclosed if the CSE and others in the security and intelligence community genuinely want Canadians to understand and care about the work that the national security community is doing, and appreciate the ever-present threats faced by Canadians and Canadian organizations. Generally, I think that more details are needed in future annual reports that include instances where failures may have occurred and, alongside, how the CSE subsequently responded or improved its resiliency. To read this report is to suggest that almost no errors or failures were experienced. Even public accounts can demonstrate this has not always been the case.
One of the historical concerns has been how, and in what ways, the CSE has provided assistance to other federal agencies. The CSE should make clear how regularly it receives requests, and provides assistance, to other agencies. It would be helpful to also get some details on the classes of assistance (e.g., foreign intelligence, cyber security, active cyber operations, defensive cyber operations) to better appreciate the specific kinds of assistance that the CSE is providing. Breaking out the kinds of assistance in large buckets, such as those associated with the elements of the CSE’s mandate, is unlikely to jeopardize any operations but will provide some meaningful transparency into the CSE’s activities, along with those of other federal agencies.
Finally, I would like to see future annual reports make clearer how elements of the CSE’s mandate can be drawn together in supporting operations. A persistent challenge is conveying to the public how the CSE’s broader mandate is composed of elements that can work together. While some of the Snowden revelations made this more apparent, this is a point that parliamentarians and the public alike are often confused by. The CSE could clarify things itself or it can wait until one of its review bodies does so for it. I suspect that the CSE, however, would prefer to be in control of that narrative and thus should come out ahead of its reviewers.
Thanks to Bill Robinson for reading and reviewing an earlier version of this post, as well as to the individuals I have spoken to about the CSE’s annual report. Any errors or misjudgements remain firmly my own.
- I am also making a locally hosted .pdf version of the report available for download. ↩︎
- Colloquially, the elements of the CSE’s mandate are often referred to as Mandates A (foreign intelligence), B (defending networks), C (assistance), D (active cyber operations), and E (defensive cyber operations). I decline to refer to them as individual mandates but, instead, as elements or aspects of the CSE’s 5-part mandate. ↩︎
- These norms were set out in the “Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security” report that was published in 2015. ↩︎
- “CSE’s mandate authorizes [it] to conduct foreign cyber operations to help protect Canada and Canadians. These operations may be defensive or active.” Source: Cyber Operations ↩︎
- “Before, and throughout the invasion, the Cyber Centre continued to track cyber threat activity in Canada and around the world…” ↩︎
- In Canada, this has taken the form of formal reports and alerts from the Cyber Centre, public comments from senior members of the security and intelligence community, and the issuance a joint publication by Canadian and allied governments. ↩︎
- For a discussion on the configuration of the CSE’s mandate, see “A Deep Dive into Canada’s Overhaul of Its Foreign Intelligence and Cybersecurity Laws.” ↩︎
- See Juneau and Carvin. (2022). Intelligence Analysis and Policy Making: The Canadian Experience. Stanford University Press. Pp 89-91. ↩︎
- CSE. (2011). “Annual Report to the Minister of National Defence 2010-2011,” p. 4. Released in redacted form under Access to Information request A-2017-00017. ↩︎
- We can expect to see NSIRA report the total number of authorizations in its annual report, later this year. ↩︎
- For a tabular summary of the Ministerial Authorizations which have been issued, see footnote 3 of “Unpacking NSIRA’s 2020 Annual Report.” ↩︎
- While even the CSE’s acronym might be problematic in some cases, as it can stand for Child Sexual Exploitation or, in the case of CSEC, Commercial Sexual Exploitation of Children, it seems less likely that the entire agency can or would be renamed. ↩︎
- The fiscal year for the CSE that is covered in the annual report spans April 1, 2021 to March 31, 2022 (4). ↩︎
- All emphases were added by the Intelligence Commissioner’s Office in their written response to me. ↩︎
- The CSE presented its 2021 authorizations to align them with their reviewers’ schedules and, thus, excluded authorizations sought or received for in 2022. I think that’s an entirely fine editorial decision on the CSE’s part. ↩︎
- I’m not holding my breath, however. ↩︎
- Bill Robinson also marked the CSE’s 75th anniversary and captured the information he shared on his blog. ↩︎
- The coin was, admittedly, very impressive and cool. ↩︎