Bill C-59, Canada’s Secret Spy Agency, and the Cyber Offensive

By Bryan Roh

Update 1: A previous version of this article incorrectly stated that Bill C-59 was currently undergoing second reading in the Senate. That error has now been corrected.

Update 2: Some text has been changed to better reflect the authorities of the CSE under Bill C-59.

On June 20th, 2017, the Canadian government introduced Bill C-59, an ambitious piece of national security legislation that proposes to dramatically overhaul the legal authorities of Canada’s security institutions. C-59 passed second reading in the Senate on December 11th and is now undergoing committee review, and if the bill successfully passes into law it will be the most comprehensive reform of Canada’s national security landscape since the creation of the Canadian Security Intelligence Service (CSIS) in 1984. One particular government agency, however, stands to gain the most from the sweeping reforms: the Communications Security Establishment (CSE).

CSE is one of Canada’s key security and intelligence agencies alongside CSIS and the Royal Canadian Mounted Police; the Canadian equivalent of the United States’ National Security Agency. When it was first created in 1946, it was called the Communications Branch of the National Research Council (CBNRC) and was tasked with two roles to fulfill for the Government of Canada. The first was to collect and analyze foreign signals intelligence: intelligence gathered from intercepting foreign communications and electronic signals. The second was to protect government telecommunications. In 1975, CBNRC was placed under the administrative control of the Department of National Defence (DND), and it officially became the Communications Security Establishment, but its two primary responsibilities remained largely unchanged.

When the Anti-Terrorism Act received Royal Assent in 2001 as a legislative response to the September 11th terror attacks, it amended the National Defence Act to enhance the operational effectiveness of CSE. Instead of being confined to passively intercepting foreign communications, CSE gained the power to actively seek out and “hunt for information of interest”. In effect, this meant the ability to conduct Computer Network Exploitation (CNE) activities – cyber espionage – such as infiltrating foreign computer networks, exploiting security vulnerabilities in targeted systems, and gathering sensitive or confidential data. The Act also gave CSE a statutory basis for assisting federal law enforcement and security organizations with technical and operational support.

Despite its heightened operational effectiveness, CSE’s current three-pronged mandate remains a fundamentally defensive one. According to Bill Robinson, one of Canada’s leading CSE watchers, any network exploitation operations undertaken by the agency since 2001 would have been for the purpose of gathering foreign signals intelligence, not for causing destructive damage. The realm of offensive Computer Network Attack (CNA) operations involving the use of computer networks to “disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves,” are generally thought to be the domain of the military. This is why there has been an ongoing discussion in Canada since 2001 to allow the Canadian Armed Forces (CAF) to develop CNA capabilities, and why the CAF was finally given the green light to do so in Canada’s new 2017 defence policy.

Bill C-59 proposes to change all this in the Communications Security Establishment Act. With a new five-part mandate that includes authorization for both defensive and “active” cyber operations, the bill would give a statutory basis for CSE to act offensively for the first time in its history. According to the agency itself, CSE would gain authorization to conduct active cyber operations to “degrade, disrupt, influence, respond to or interfere” with foreign IT systems “as they relate to Canada’s defence, security or international affairs.” For example, this could involve activities to “interfere with the ability of terrorist groups to recruit Canadians or plan attacks against Canada and its allies.” And with the CAF and the DND being explicitly mentioned in the bill’s clause on CSE’s ability to provide technical and operational support to federal authorities, the agency will likely play an increasing role in the military’s own CNA operations in the future.

At the same time, the bill aims to tighten accountability and oversight over CSE’s activities with the creation of the Intelligence Commissioner and new authorizations being required from both the Minister of National Defence and the Minister of Foreign Affairs when launching offensive cyber operations.  The legislation is also adamant in stating that CSE’s activities must not “(a) cause, intentionally or by criminal negligence, death or bodily harm to an individual; or (b) wilfully attempt in any manner to obstruct, pervert or defeat the course of justice or democracy.”

Despite the limitations set on paper, critics remain skeptical of the effectiveness of the new oversight measures concerning the expanded mandate. For instance, a joint analytical report of the CSE Act by the Citizen Lab and the Canadian Internet Policy & Public Interest Clinic stated that the language governing what types of activities the agency will be authorized to conduct through its active cyber operations is “extraordinarily permissive, […] [setting] out the legal basis to authorize all manner of state-sponsored hacking”. In addition, the report pointed out that the legal provisions underlying what CSE can and cannot do would not apply when the agency provides technical and operational support because its legal authority comes under the organization it is assisting. What this means is that when the agency undertakes a supporting role in the CAF’s cyber warfare operations, civilian employees at CSE could very well be authorized to engage in armed conflicts that may be highly destructive in the context of Canadian military operations.

As Bill C-59 moves closer to becoming law, Canada’s cyber security regime is being revamped to prepare for its arrival. The federal government’s 2018 National Cyber Security Strategy aims to position the Canadian government as both a national and global leader in cyber security governance by establishing a new policy framework that is designed to protect Canada’s digital economy and critical infrastructure sectors from malicious cyber threats. CSE, as Canada’s national cryptologic agency, is destined to play a major role in the Strategy’s initiatives.

But as the agency prepares to take on more proactive responsibilities for the federal government, one thing remains uncertain. So long as CSE’s future cyber operations remain as shrouded in secrecy as its past activities, Canadians may never truly know the validity of the old adage that “the best defence always begins with a good offence”.

Bryan Roh is a Master of Public Policy candidate at the Munk School of Global Affairs & Public Policy and a candidate in the Collaborative Master’s Specialization in Contemporary East and Southeast Asian Studies at the Asian Institute. His research interests are mainly on national and international security issues, particularly in the Asia-Pacific region.