ICLMG testifies on cybersecurity and cyberwarfare at the National Defence Committee

Our national coordinator, Tim McSorley, testified on March 31, 2023, at the Standing Committee on National Defence for their study of cybersecurity and cyberwarfare.

ICLMG recommended that:

  • Strict separations be established between the CSE’s signals intelligence and cybersecurity activities, including restrictions on information sharing
  • Greater restrictions be placed on the collection, retention and use of both metadata and so-called “publicly available information”
  • Stricter requirements be placed on foreign intelligence and cybersecurity authorizations, as well as approvals of active and defensive cyber operations, to ensure the CSE’s compliance with its obligations towards oversight and review bodies; this includes reporting on the impact of previous activities
  • The CSE immediately implement a system to allow NSIRA to access its records
  • A full review of the CSE’s active and defensive cyber activities take place, with a particular view to compliance with international law and Canada’s role in escalating the promulgation of cyberwarfare activities
  • The government review and restrict the CSE’s international mass surveillance activities

FULL REMARKS

Given our organization mandate as a watchdog around national security, anti-terrorism and civil liberties in Canada, we have longstanding experience examining the work of the Communications Security Establishment.

We agree that it is vital that Canada take steps to modernize cybersecurity laws to protect the private information of Canadians and the information infrastructure on which we rely. It is also clear that as cyber-attacks increase in activity and in sophistication, that Canada must take steps to defend itself.

However, these actions must not come at the cost of accountability and transparency of government activities, including those of the CSE. In our work, we have seen how overly broad powers and extensive secrecy result in the violation of the rights of Canadians and people in Canada. These can have real-world impacts, including when the information of Canadians and people in Canada are shared internationally with the Five Eyes, as well as with other countries. In the hands of foreign jurisdictions, Canada loses control over how the information may be used, including in ways that can result in rights violations, abuse and even torture.

We also disagree with the premise that the private information of non-Canadians outside of Canada is simply fair game for mass collection and retention; this approach reinforces ongoing global systems of mass surveillance and associated rights violations. This was revealed in detail by Edward Snowden, and while it did lead to promises of reforms, it is unclear to what degree the CSE’s activities have truly changed.

While much of these concerns are related to the CSE’s signals intelligence work, they also apply to the CSE’s cybersecurity and cyberwarfare activities.

For example, while the CSE may have two distinct areas within its mandate – signals intelligence and cybersecurity and information assurance – they do not exist in a silo.

Recently, the BC Civil Liberties Association published material obtained from disclosure in their lawsuit against the federal government regarding the CSE’s operations. These documents reveal, for example, that under an agreement with the former Department of Foreign Affairs, information that CSE collected during its provision of cybersecurity support to the department, including the private communications of Canadians, could be shared with its Five Eye counterparts. While this agreement dates to 2012, this concern persists under the CSE Act, adopted in 2019.

Specifically, the National Security and Intelligence Review Agency, or NSIRA, noted in its 2021 annual report that the CSE Act explicitly allows for this kind of information sharing between the CSE’s various mandates, including cybersecurity and foreign intelligence. NSIRA raised concerns that this sharing must be narrow and on a case by case basis, and that the CSE should obtain legal advice on compliance with the Privacy Act. The CSE disagreed.

Why is this important? Bill C-26, currently being studied by parliament, world formalize the CSE’s role in ensuring the protection of critical cyber infrastructure and would see the CSE obtain information about the security of critical infrastructure providers. This means that a lot more information will flow into the CSE, including potentially private information relating to Canadians. Without adequate safeguards in place – both in the CSE Act and in Bill C-26 – information collected by the CSE, included relating to Canadians, could be used in unexpected ways, and shared with unaccountable foreign partners.

For more on this, I would direct committee members to an open letter we co-signed raising significant concerns with C-26, as well the Citizen Lab, Cybersecurity Will Not Thrive in Darkness.

The CSE also has a troubling history of obfuscating the nature of its work and violating its mandate.

For example, the CSE tracked the wifi connections of Canadians at a major airport, despite not being allowed to conduct surveillance within Canada; it collected massive amounts of Internet traffic through 200 “Internet backbone” sites worldwide; despite prohibitions, it regularly collected Canadians’ information and received it from foreign partners; and it violated Canadian law for five years by failing to minimize Canadian information shared with Five Eyes partners.

The CSE also resists fully complying with review and oversight. For example, the CSE refuses to grant NSIRA full access to records the Agency needed to carry out its review function. Instead, the CSE requires NSIRA submit a request, and CSE staff provide what they say are relevant documents. This approach, NSIRA wrote in its latest annual report, “undercuts NSIRA’s authority to decide whether information relates to its reviews and contributes to significant delays in the provision of information to NSIRA.”

The Intelligence Commissioner has also raised concerns that CSE authorizations for both foreign intelligence and cybersecurity have not included information crucial to the approval process, particularly regarding the outcomes of previous authorized activities or explanations of specific activities based on facts and not theory.

Finally, NSIRA has also raised concerns that the CSE is not providing adequate information on the impact of active or defensive cyber operations, nor appropriately delineating between the two kinds of activities despite each requiring a different approval process.

To close, I’d like to make some general recommendations:

  • That strict separations be established between the CSE’s signals intelligence and cybersecurity activities, including restrictions on information sharing
  • That greater restrictions be placed on the collection, retention and use of both metadata and so-called “publicly available information”
  • That stricter requirements be placed on foreign intelligence and cybersecurity authorizations, as well as approvals of active and defensive cyber operations, to ensure the CSE’s compliance with its obligations towards oversight and review bodies; this includes reporting on the impact of previous activities
  • That the CSE immediately implement a system to allow NSIRA to access its records
  • That a full review of the CSE’s active and defensive cyber activities take place, with a particular view to compliance with international law and Canada’s role in escalating the promulgation of cyberwarfare activities
  • That the government review and restrict the CSE’s international mass surveillance activities

Thank you.

For sources, see our official written submission here.

Since you’re here…

… we have a small favour to ask. Here at ICLMG, we are working very hard to protect and promote human rights and civil liberties in the context of the so-called “war on terror” in Canada. We do not receive any financial support from any federal, provincial or municipal governments or political parties. You can become our patron on Patreon and get rewards in exchange for your support. You can give as little as $1/month (that’s only $12/year!) and you can unsubscribe at any time. Any donations will go a long way to support our work.panel-54141172-image-6fa93d06d6081076-320-320You can also make a one-time donation or donate monthly via Paypal by clicking on the button below. On the fence about giving? Check out our Achievements and Gains since we were created in 2002. Thank you for your generosity!
make-a-donation-button