Following the release of documents by Edward Snowden, many of the Western governments whose agencies’ activities were implicated in the leaks raced to update and modernize their national security legislation. Such legislation was, in at least some cases, designed to clearly establish the legality of activities and operations that had been already undertaken for many years in near-absolute secrecy. In June 2019, the Canadian government passed major national security legislation, which massively overhauled how Canada’s signals intelligence agency and cybersecurity agency, the Communications Security Establishment (CSE), could lawfully operate. Those updates are found in Bill C-59: An Act respecting national security matters. This Bill promises to extend and amplify the kinds of activities that the CSE can undertake in the coming decades.
C-59 is a complex, omnibus bill that amended, updated, or replaced elements from 20 other pieces of existing legislation, while also creating several altogether new pieces of legislation. With nine parts, it covers a vast range of issues in the area of national security law — from information-sharing between federal agencies and the maintenance of Canada’s no-fly list, to criminal law terrorism provisions. Prominent among its changes were dramatic reforms to the mandate, capabilities, and authorization frameworks of the CSE. These reforms and new powers are covered in Part 3 of Bill C-59: The Communications Security Establishment Act (CSE Act), and are accompanied by Parts 1 (the National Security and Intelligence Review Agency (NSIRA) Act), and 2 (the Intelligence Commissioner Act). This article examines each aspect of the CSE’s updated mandate, as well as the associated accountability, review, and oversight components of the new legislation.
A Reformed Mandate
The CSE Act expanded the CSE’s mandate from three to five parts. In addition to the categories of foreign intelligence, cybersecurity, and assistance, C-59 added two aspects to the establishment’s mandate: defensive cyber operations (section 18) and active cyber operations (section 19). It also created two new mechanisms: a review body, replacing the Security Intelligence Review Committee with the NSIRA; and an oversight mechanism, replacing the Office of the CSE Commissioner with the Office of the Intelligence Commissioner.
One element of the CSE’s mandate is to acquire and use information from the global information infrastructure — functionally, any kind of system, process, or equipment that is involved in the production of communications or information — for the purpose of collecting foreign intelligence (CSE Act, section 16). Accompanying operations include targeted and mass/bulk surveillance activities aimed at acquiring intelligence about foreign individuals, states, organizations, or terrorist groups as they relate to international affairs, defense, or security (CSE Act, section 2). The CSE Act makes explicit that information can be acquired covertly, including with the assistance of foreign entities, and that such information can be acquired and used, as well as also analyzed and disseminated (CSE Act, section 16).
Where the CSE is of the view that its foreign intelligence-related activities could contravene Canadian law, including the Charter of Rights and Freedoms (CSE Act section 22(3)), it must seek a foreign intelligence authorization through written application by the chief of the CSE to the Minister of National Defence (CSE Act, sections 26(2)(b), 33(1)). Such an application must set out the facts and provide reasonable grounds for the minister to conclude: first, the activity being authorized is reasonable and proportionate to the objective and nature of the activities — meaning that the minister believes the information sought could not reasonably be acquired by other means (CSE Act, section 34(2)(a)) — and second, that information acquired and identified as “relating to a Canadian person or person in Canada is used, analysed or retained only if the information is essential to international affairs, defence, or security” (CSE Act, section 34(2)(c)). The CSE is not, however, required to seek or operate under a ministerial authorization (and its protections) where it is of the view that its activities will not violate Canadian law.
After the minister issues a foreign intelligence authorization, the intelligence commissioner must approve the authorization in writing for it to be valid (CSE Act, section 28(1)). Authorizations remain valid for up to one year and can be extended by the minister for up to one additional year. The decision to extend an authorization is not subject to review by the intelligence commissioner, though a new authorization must be issued after the additional year (CSE Act, section 36).
The CSE Act introduces an additional safeguard by requiring the chief of the CSE to notify the minister if there has been a significant change in the facts set out in the original application, and requiring the minister to bring this change to the attention of the intelligence commissioner and the NSIRA (CSE Act, section 37). The intelligence commissioner may then re-examine the authorization and potentially repeal it or require amendments.
Cybersecurity and Information Assurance
The CSE also provides advice, guidance, and services to protect the Government of Canada’s electronic information and information infrastructures, as well as electronic information and information infrastructures explicitly designated as being of importance to the Government of Canada (CSE Act, section 17(a)). Activities under this mandate include acquiring, using, and analyzing information from the global information infrastructure and other sources to provide the aforementioned advice, guidance, and services (CSE Act, section 17(b)).
While subparagraph 17(a)(I) of the CSE Act largely replicates the CSE’s previous cybersecurity mandate, subparagraph 17(a)(II) creates a new framework for the minister to designate privately held electronic information and information infrastructures as being “of importance” to the Government of Canada under subsection 21(1). Subsection 21(1) is open-ended, granting the minister discretion to designate any non-government electronic information, infrastructure information, or class thereof as “important” and bringing it within the scope of the CSE’s cybersecurity and information assurance mandate.
Under this aspect of the CSE’s mandate, a ministerial authorization is only required if activities would contravene Canadian law or a “reasonable expectation of privacy of a Canadian person or person in Canada,” (CSE Act, 22(4)). Accordingly, ministerial authorizations can grant access to infrastructure and thereby authorize the CSE to acquire “any information originating from, directed to, stored on or being transmitted on or through” that infrastructure (CSE Act, 27(1) and (2)) in order to help protect the infrastructure per the circumstances described in paragraph 184(2)(e) of the Criminal Code on communications interception. Only information that is necessary to identify, isolate, prevent or mitigate harm to government or critical non-government information or infrastructure may be authorized. In addition, these activities are permissible only following the written request from the infrastructure owner (CSE Act, 33(3)). Furthermore, information may only be retained as long as is reasonably necessary (CSE Act, section 34(3)(a) and (c)), and information identified as relating to a Canadian or person in Canada may only be analyzed, used, or retained if essential (CSE Act, section 34(3)(d)).
Per sections 44 and 45, the CSE may disclose information to persons designated by the minister where such disclosure is necessary to protect federal institutions’ electronic information and infrastructure or any critical non-governmental electronic information and infrastructure. Section 44 is limited in application to information “acquired, used or analysed” during activities carried out under the cybersecurity mandate, limiting the ability of the CSE to disclose any Canadian data it might acquire through its foreign intelligence or assistance mandates to data that is applicable to cybersecurity purposes. In terms of oversight and control, the minister and the intelligence commissioner must approve the cybersecurity authorization, with the minister subsequently responsible for issuing a ministerial order authorizing the disclosure of the obtained information that relates to a Canadian or person in Canada.
Defensive and Active Cyber Operations
The CSE Act added two aspects to the establishment’s mandate in the form of “defensive cyber operations” and “active cyber operations.” They are included together because the activities that can be authorized and their authorization frameworks are broadly similar.
The “defensive cyber operations” aspect of the mandate enables the CSE to conduct activities “to help protect federal institutions’ electronic information and information infrastructures” as well as other electronic information and information infrastructures which have been designated as being of importance to the Government of Canada under subsection 21(1) (CSE Act, section 18). The “active cyber operations” aspect enables the CSE to carry out activities “to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security” (section 19).
Under section 31, the activities that can be authorized under either aspect of the mandate are the same and may include:
(a) gaining access to a portion of the global information infrastructure;
(b) installing, maintaining, copying, distributing, searching, modifying, disrupting, deleting or intercepting anything on or through the global information infrastructure;
(c) doing anything that is reasonably necessary to maintain the covert nature of the activity; and
(d) carrying out any other activity that is reasonable in the circumstances and reasonably necessary in aid of any other activity, or class of activities, authorized by the authorization.
The aforementioned “activities” are quite permissive and set out the legal basis to authorize state-sponsored hacking and other activity backed by “anything that is reasonably necessary.”
Compared to foreign intelligence and cybersecurity activities, there are significant differences in the authorization framework for active and defensive cyber operations. The chief of the CSE must still make a written application (CSE Act, section 33(1)) that sets out the facts from which the minister is able to conclude there are reasonable grounds to believe that the authorization is necessary and that the conditions for issuing it in subsection 34(4) are met (CSE Act, section 33(2)). However, unlike in the course of foreign intelligence or cybersecurity related activities, the minister does not need to seek the approval of the intelligence commissioner in the case of cyber operations for the authorization to be valid. Activities under the defensive cyber operations aspect of the mandate can be authorized by the minister alone, who needs only to consult with the Minister of Foreign Affairs (CSE Act, section 29(2)). In cases concerning the active cyber operations aspect of the mandate, the activities can only be authorized if the Minister of Foreign Affairs has requested that the authorization be issued or has consented to its issue (CSE Act, section 30(2)). Further, the CSE may not acquire information under the cyber operations authorization aspect of the establishment’s mandate unless a separate authorization has been issued pursuant to its foreign intelligence or cybersecurity and information assurance mandates (CSE Act, section 34(4)).
Technical and Operational Assistance
The technical and operational assistance aspect of the CSE’s mandate authorizes the use of CSE expertise, resources, and surveillance capabilities to assist federal law enforcement and security agencies (CSE Act, section 20), as well as to support the activities of the Canadian Armed Forces and the Department of National Defence (CSE Act, section 20). When relying on this aspect of its mandate, the CSE has the same authority as the agency or department it is assisting, and is subject to the same limitations as the assisted agency or department (CSE Act, section 25(1)), such as the conditions of a warrant. In addition, these kinds of activities are not required to operate under a ministerial authorization, nor do these activities require approval from the intelligence commissioner. CSE personnel who carry out activities under this aspect of the agency’s mandate also enjoy the same exemptions, protections, and immunities as a person employed by the agency to which the CSE is providing assistance (CSE Act, section 25(2)).
Activities taken under the CSE’s mandate to provide technical and operational assistance may be directed at Canadian persons or persons in Canada, as well as portions of the global information infrastructure within Canada, to the extent the assisted agency is authorized to do so.
Review, Oversight, and Independent Control
Bill C-59 replaced the Security Intelligence Review Committee (SIRC) — which was principally responsible for conducting review of the Canadian Security Intelligence Service (CSIS) — as well as the CSE Commissioner (OCSEC) — which provided review of the CSE — with the NSIRA. The NSIRA is empowered to trace national security and intelligence activities across different agencies (e.g., Canada’s Royal Canadian Mounted Police, Canadian Security Intelligence Service, Canadian Border Services Agency, Communications Security Establishment). The agency is mandated to evaluate, in part, whether the CSE is in compliance with the law as well as the overall reasonableness and necessity of the establishment’s use of its powers (NSIRA Act, section 33(2)(b)). This mandate provides the NSIRA a robust baseline against which to assess and evaluate the activities of the CSE.
While the NSIRA may theoretically access “any information that is in the possession or under the control of any department” in the course of its reviews (NSIRA Act, section 9), there may be some gaps where Canada’s intelligence bodies act in concert with foreign allies and the CSE cannot be said to be in possession or control of certain documents. Given the high frequency with which the CSE interoperates with foreign agencies, this interpretation could limit NSIRA’s ability to evaluate the CSE’s activities. As the agency releases its reviews, the extent to which this is a real limitation, if at all, will become clear.
Under section 54 of the CSE Act, the CSE may enter into “arrangements” with peer intelligence agencies to cooperate, share information, or otherwise further its mandate, though it is unclear in the legislation what, precisely, is meant by an “arrangement.” The Canadian Journalists for Free Expression have raised concerns about this, writing, “[d]ata made available by foreign partners may potentially be acquired in a manner that bypasses safeguards under which the CSE normally operates—in other words, it may be data which the CSE would otherwise require an authorization from the Minister and Intelligence Commissioner to collect on its own.” This means there is a possibility that “arrangements” with foreign partner agencies may provide the CSE with greater access to information on Canadians than it would otherwise have. Again, however, whether this is an issue, or becomes an issue in practice, will only become apparent as the NSIRA conducts its reviews of the CSE’s activities and the sources of the data that are used to fuel CSE’s operations. For clarity, while the CSE is prohibited from requesting that its partners conduct any activity that the CSE itself is not authorized to conduct, the concern is that partner agencies — of their own motivation and without direction or suggestion from the CSE — might provide information to the CSE about a Canadian or person in Canada without the agency having been aware of the given person(s)’ affiliation with Canada.
Oversight and Control
The intelligence commissioner has the power to review some ministerial authorizations, including those by which the CSE acquires information, and conclude whether the basis upon which these authorizations were issued or amended is reasonable (Intelligence Commissioner Act, sections 13-16). The commissioner must approve any foreign intelligence and cybersecurity ministerial authorizations before the CSE can undertake any activities further to these authorizations, save for in emergency circumstances (CSE Act, section 40(2)).
The commissioner can act as an independent control of the CSE’s activities on the basis that the commissioner can refuse to approve ministerial authorizations related to the foreign intelligence and cybersecurity aspects of the CSE’s mandate. Notably, however, decisions of the commissioner can only be appealed where she or he rejects a ministerial authorization — and not where an authorization has been approved that perhaps should not have been. Further, there is no functional framework for amici, intervenors, or public interest organizations to challenge decisions or provide adversarial input. The commissioner also lacks the order-making powers necessary to allow her or him to prevent the CSE from carrying out any activity or compel it to undertake certain measures beyond those contained in the Ministerial authorizations. Nor are all classes of the CSE’s activities subject to the commissioner’s oversight, and when authorizations are approved they will presumably provide a general framework for activities undertaken. Combined, this means that the commissioner may be limited in her or his ability to comprehensively provide oversight or impose conditions on specific applications of ministerial authorizations, which might only come to light when confronted with specific classes of programs undertaken by the CSE.
C-59 Is Here. Now What?
Ultimately, C-59 represents a major change in the national security landscape in Canada and raises significant implications for signals intelligence, offensive and defensive cyber activities undertaken by the Canadian government, and for cybersecurity writ large. There is broad consensus amongst government stakeholders that new cybersecurity tools and capabilities were needed to deter threats, and many of C-59’s updates are consistent with contemporary practices of Canada’s democratic allies. Yet the legislation also raises several questions. For example, potential risks may arise from the fact that the intelligence commissioner is not required to approve CSE offensive or defensive cyber operations. Also, whether or not the NSIRA will truly have access to all of the information related to actions taken by the CSE in concert with foreign allies, when CSE itself may not have access to these documents, remains to be seen. Moreover, it is unclear what is meant by the CSE’s updated ability to “degrade, disrupt, influence, respond to or interfere with the capabilities” of non-Canadian entities “as they relate to international affairs, defence or security” (CSE Act, section 20). Other questions revolve around definitions of key terms, like “publicly available information,” “reasonable,” “acquire,” and “international affairs,” including the question of the extent to which some terms should be intentionally vague so as to allow flexibility.
As newly minted legislation, how it will be applied in practice remains to be seen. C-59 is to be examined upon parliamentary review every three years, meaning its first review should occur by 2022. The utility of that review will, in part, depend on the effectiveness of the new review apparatus that was created alongside the update to the CSE’s mandate, guaranteeing that some of the most important actors in how the CSE Act is evaluated in 2022 will depend on the dedication, competence, and potential willingness to speak truth to power by the CSE’s review and oversight bodies.
The authors would like to acknowledge the helpful comments provided by Lex Gill and anonymous commentators. Any errors remain solely with the authors of the article.