Who reviews cyber attacks in Canada? We need answers.
Last Friday, June 21, the National Security Act, 2017, (better know as Bill C-59), received royal assent. We’ve written a lot about our concerns over Bill C-59 on the International Civil Liberties Monitoring Group’s website, and there will be a lot more to talk about over the coming weeks — especially as various parts of the bill come into effect.
One piece of coverage last week has raised some questions about an important part of the bill, and it will be important to get some clear answers about it going forward.
The Globe and Mail published an article on June 19th about the Communications and Security Establishment’s new active and defensive cyber operations powers. These powers will allow the CSE to go beyond surveillance and take real action — defensively or offensively — against cyber threats to Canada. There are restrictions to these powers — including that they cannot lead to death or bodily harm, cannot interfere with justice or democratic processes, and cannot be aimed at Canadians or anyone in Canada — but they still have broad implications: they empower a civilian agency to engage in cyber attacks, including hacking, taking down websites, disrupting communications, and more.
These powers, especially the active cyber operations — ie, pre-emptive attacks — raised considerable questions and criticisms throughout the study of the bill. These included the potential blow-back or retaliation for cyber attacks; the possibility of Canadians being impacted because of the way the “global information infrastructure” is so interconnected; and the history of cyber-attack tools being leaked or stolen, and then used by criminals or nefarious actors.
Given the scope of these negative possibilities, concerns were also raised about the authorization process: according to the new CSE Act, defensive cyber operations can only be carried out under authorized by the Minister of Defence, after consultation with the Minister of Foreign Affairs; active cyber operations must be authorized by the Minister of Defence with the consent of the Minister of Foreign Affairs.
This is in contrast to the CSE’s new data collection powers, which will have independent oversight from the new Intelligence Commissioner, who will have to approve the Minister of Defence’s data collection authorizations before they can be carried out. If data collection deserve independent oversight, shouldn’t these important cyber operations also deserve independent oversight? That’s what we, the CCLA, Citizen Lab, and even the current CSE watchdog have urged: give the Intelligence Commissioner a role in approving active and defensive cyber operations.
The controversial nature of these powers haven’t escaped the media, and that brings us back to the Globe and Mail article. In it, the reporter presses Public Safety Minister Ralph Goodale (the government’s lead on Bill C-59) about the nature of these new “cyber attack” powers. After explaining why these powers are necessary, the Minister made a curious — and confusing — statement:
The decision to launch cybersecurity attacks will be reviewed by the Intelligence Commissioner, a new position created by the bill, Mr. Goodale said.
This raises questions for two reasons:
- It isn’t clear what the minister meant by a “cybersecurity attack”: The CSE will have the mandate protect Canada’s cybersecurity. The Minister of Defence will be empowered to authorize the CSE’s cybersecurity work, which will then need to be approved by the Intelligence Commissioner. However, this would not allow the CSE to engage in an “attack.”
- As explained, the Intelligence Commissioner (according to the bill) will not play any role regarding active or defensive cyber operations — “reviewing,” approving or otherwise.
I’ve written to the journalist, and she assured me that this is directly what Minister Goodale stated. I explained the concern, and she has forwarded them to her editors. I also have a request in to a member of Minister Goodale’s office asking for clarification.
Why does all this matter?
The CSE is being granted an incredibly powerful new role in Canada’s national security landscape: being able to engage directly in cyber attacks. These are serious new powers, that can have serious repercussions. Around the world, cyber attacks — both state sponsored and independent — are continuing to grow in size and scope.
There needs to be strict, clear and independent oversight of how the CSE engages in these kinds of activities. According to multiple experts and officials, this oversight does not currently exist in Bill C-59. However, the minister in charge of the file just said it does. We need to know for sure.
