The Communications Security Establishment (CSE) released its 2021-2022 Annual report on June 28, 2022.1 The CSE is Canada’s leading foreign signals intelligence and cryptologic agency. It is specifically tasked with collecting foreign intelligence, defending government of Canada networks as well as private networks and systems deemed of importance by the government, providing assistance to federal partners, and conducting active and defensive cyber operations.2 The CSE operates as a Canadian equivalent to the United Kingdom’s GCHQ.
Five things stood out to me in the annual report:
It provides more details about the kinds of active and defensive cyber operations that the CSE has undertaken while also clarifying when such operations might take place. This information is important given the potentially deleterious or unintended impacts of the CSE exercising these capabilities. It is, however, worth recognizing that the CSE is casting these activities as preventative in nature and does not include a legal discussion about these kinds of operations.
The report extensively discusses threats to critical infrastructure and the activities that the CSE is undertaking to defend against, mitigate, or remediate such threats. Many of the currently voluntary engagements between the CSE and industry partners could become compulsory (or, at a minimum, less voluntary), in the future, should Canada’s recently tabled infrastructure security legislation be passed into law.
We generally see a significant focus on the defensive side of the CSE’s activities, vis-a-vis the Cyber Centre. This obscures the fact that the majority of the agency’s budget is allocated towards supporting the CSE’s foreign intelligence and active/defensive cyber operations teams. The report, thus, is selectively revelatory.
No real discussion takes place to make clear to readers how aspects of the CSE’s foreign intelligence, cybersecurity/information assurance, assistance, or active or defensive cyber operations authorities may interoperate with one another. The result is that readers are left uncertain about how combinations of authorities might enable broader operations than are otherwise self-apparent.
As I raise at several points when analyzing the annual report there are a number of situations where information in the annual report risks concealing the broader range(s) of actions that the CSE may undertake. Readers of the annual report are thus advised to critically assess the annual report and read what it specifically says instead of what it may imply.
In this post, I proceed in the order of the report and adopt the headlines it used to structure content. After summarizing some of the highlight elements in a given section I proceed with a short discussion of the relevant section. The post concludes with a broader assessment of the annual report, what was learned, and where more information is desirable in the future.
Many of Canada’s closest allies have either firmly or softly blocked Huawei and ZTE from selling telecommunications equipment to Internet service providers in their countries over the past several years. After repeated statements from Canadian government officials that a review of Huawei equipment was ongoing, on May 19, 2022 the government announced its own bans on Huawei and ZTE equipment. The government published an accompanying policy statement from Innovation, Science, and Economic Development (ISED) Canada on the same day.
This post begins by summarizing the possible risks that Chinese vendors might pose to Canadian networks. Next, it moves to discuss the current positions of Canada’s closest allies as well as Canada’s actions and statements pertaining to Chinese telecommunications vendors leading up to the May 2022 announcement. It then proceeds to unpack the government’s “Securing Canada’s Telecommunications System” policy statement. Some highlight findings include:
The government is unclear when it refers to “supply chain breaches”;
The government may be banning Huawei and ZTE principally on the basis of American export restrictions placed on Chinese vendors and, thus, be following the same model as the United Kingdom which was forced to ban Huawei following American actions; and
Establishing the security and protection of telecommunications systems as an “overriding objective” of Canadian telecommunications policy could have long-term implications for Canadians’ privacy interests.
The post concludes by discussing the policy and political implications of the policy statement, why any telecommunications security reforms must not be accompanied by broader national security and law enforcement reforms, and why the Canadian government should work with allied and friendly countries to collectively assess telecommunications equipment.
For several years there havebeenrepeated calls by academics and other experts for the Government of Canada to develop and publish a foreign policy strategy. There have also been recent warnings about the implications of lacking such a strategy. Broadly, a foreign policy strategy is needed for Canada to promote and defend its interests effectively.
Not only has the Government of Canada failed to produce a foreign policy strategy but, also, it has failed to produce even a more limited strategy that expresses how Canada will develop or implement the cyber dimensions of its foreign policy. The government itself has been aware of the need to develop a cyber foreign policy since at least 2010.1
As I have previously written with colleagues, an articulation of such a cybersecurity strategy is necessary because it is “inherently a discussion of political philosophy; not all actors share the same understanding of what is, or should be, the object of security, nor is there necessarily a shared understanding of what constitutes a threat.” To clearly and explicitly assert its underlying political values Canada needs to produce a coherent and holistic cyber foreign policy strategy.
The May 2021 draft links the scope of the Strategy to order and prosperity as opposed to advancing human rights or Canadian values.
The May 2021 draft struck language that Canadians and Canadian organisations “should not be expected to independently defend themselves against state or state-backed actors. There are steps only government can take to reduce cyber threats from state actors”. The effect may be to reduce the explicit expectation or requirement of government organisations to assist in mitigating nation-state operations towards private individuals and organisations.
The May 2021 draft struck language that GAC would create a cyber stakeholder engagement action plan as well as language that GAC would leverage its expertise to assist other government departments and agencies on engagement priorities and to coordinate international outreach.
None of the drafts include explicit reference to pressing international issues, including: availability of strong encryption, proliferation of cyber mercenaries, availability and use of dual-use technologies, online harms and disinformation, authoritarian governments’ attempts to lead and influence standards bodies, establishing a unit in GAC dealing with cyber issues that would be equivalent to the US State Department’s Bureau of Cyberspace and Digital Policy, or cyber operations and international law.
None of the drafts make a positive case for what would entail an appropriate or responsible use of malware for cyber operations.
In this post I summarise the highlights in the drafts of the Strategy and, then, proceed to point to larger language and/or policy shifts across successive drafts of the CICSDI. I conclude by discussing some policy issues that were not mentioned in the drafts I obtained. While the draft has never been promulgated and consequently does not formally represent Canada’s foreign cybersecurity strategy it does present how GAC and the government more broadly conceptualised elements of such a strategy as of early- to mid-2021.
On February 14, 2022, the National Security and Intelligence Committee of Parliamentarians (NSICOP) released a report that explored how the Government of Canada sought to defend its systems and networks from cyber attack from 2001 onwards.1 The report provides a comprehensive account of how elements of the Government of Canada–namely the Treasury Board Secretariat (TBS), Shared Services Canada (SSC) and Communications Security Establishment (CSE)–have developed policies, procedures, and techniques to protect government systems, as well as the iterative learning processes that have occurred over the past two decades or so pertaining to governmental cyber defence activities.
I want to highlight four core things that emerge from my reading of the report:
From an empirical point of view, it’s useful to know that the Government of Canada is preparing both a policy on paying ransomware operators as well as developing a Vulnerabilities Disclosure Policy (VDP) though the report does not indicate when either will be open to public comment or transformed into formal government policy;
A high-level discussion of senior coordination committees is provided, though without an accompanying analysis of how effective these committees are in practice. In particular, the report does not discuss how, as an example, cross-departmental committees are working to overcome problems that are raised in the sections of the report focused on TBS, SSC, or the CSE;
NSICOP maintains that all parties associated with the government–from Crown corporations, to government agencies, to other independent branches of government–should operate under the government’s security umbrella. NSICOP does not, however, make a constitutional argument for why this should be done nor assess the operational reasons for why agencies may not currently operate under this umbrella. Instead, the report narrowly argues there are minimal privacy impacts associated with enjoying the government’s cyber security protections. In doing so, the committee presumes that privacy concerns have driven separate branches of governments to operate outside policies set by TBS, and services offered by SSC and the CSE. At no point did the Committee engage with the Office of the Privacy Commissioner of Canada (OPC) to assess potential privacy issues associated with the government’s cyber security policies and practices; and
NSICOP did not canvas a wide set of government agencies in their interviews and included no external-to-government parties. The consequence is that the report does not provide needed context for why some government agencies refuse to adopt TBS policy guidance or regulations, decline services operated by SSC, or have limited uptake or adoption of advice or technical systems offered by the CSE. The consequence is that this report does nothing to substantively assess challenges in how TBS, SSC, or the CSE themselves are deploying their defensive capacities across government based on the experiences of those on the receiving end of the proffered cyber security and defence offerings.
In this post, I conduct a deep dive into NSICOP’s report, entitled “National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack.” Throughout, I summarize a given section of the report before offering some analysis of it. In the conclusion of this post I summarize some of the broader concerns associated with the report, itself, as well as the broader implications these concerns may have for NSICOP’s long-term viability as an independent reviewer of the national security community.
There are innumerable books, movies, podcasts, and TV shows that discuss and dramatize the roles of intelligence services during the Cold War. Comparatively few of those media, however, discuss Canada’s role during the same period. Molinaro’s edited volume, The Bridge in the Parks: The Five Eyes and Cold War Counter-Intelligence, goes a way to correcting this deficiency by including five chapters on Canada,1 as well as post-script, in a nine chapter book about Cold War counter-intelligence practices.
The Bridge in the Parks is written by historians who have used archival research and access to information laws to unearth information about a variety of Five Eye security services. The aim of the text as a whole is to “add nuance to what has often been a polarizing historical field in which scholars are forced to choose between focusing on abuses and the overreach of intelligence agencies in the Cold War or discussing successfully prosecuted individuals cases of counter-intelligence. This volume thus seeks to add complexity to this history, more in line with the “grey” world in which counter-intelligence has often existed” (8). On the whole, the book is successful in achieving this aim.
I want to highlight three points that emerge from my reading of report:
NSIRA has generally been able to obtain the information it required to carry out its reviews. The exception to this, however, is that NSIRA has experienced challenges obtaining information from the Communications Security Establishment (CSE). It is not entirely clear why this has been the case.
While most of NSIRA’s reviews have been completed in spite of the pandemic, this is not the case with CSE reviews where several remain outstanding.
NSIRA has spent time in the annual report laying out tripwires that, if activated, will alert Canadians and their elected officials to problems that the review agency may be experiencing in fulfilling its mandate. It is imperative that observers pay close attention to these tripwires in future reviews. However, while these tripwires are likely meant to demonstrate the robustness of NSIRA reviews they run the risk of undermining review conclusions if not carefully managed.
In this post, I proceed in the order of the annual review and highlight key items that stood out. The headings used in this post, save for analysis headings, are correlated with the headings of the same name in the annual report itself.