The federal government has unveiled a new “sword” that may redefine how it combats cybercriminals. On Dec. 6, Global News reported that Canada’s secretive foreign signals intelligence agency, the Communications Security Establishment (CSE), admitted using its cyber capabilities to « impose costs » on foreign cybercriminals.
In doing so, the CSE has followed in the footsteps of its closest partners in Australia, the United Kingdom, and the United States. Each has committed to deterring criminal behaviours and « imposing costs » as appropriate, including by disrupting the ability of criminals to communicate with one another, receive payments or launch malicious operations.
However, it is not clear what processes the CSE uses when deciding to disrupt criminal activities, nor the extent to which Public Safety Canada is involved in these kinds of operations. This leaves it unclear when, and under what conditions, the CSE will assume a lead in disrupting international cybercrime. The effect is that Canadians lack appropriate degrees of transparency and accountability concerning the condition under which the federal government and the CSE plan to undertake extrajudicial crime-fighting activities.
The CSE has historically been tasked to collect foreign signals intelligence, cybersecurity and to assist other federal government agencies. It was empowered to conduct offensive and defensive cyber operations following the passage of Bill C-59, An Act Respecting National Security Matters, in June 2019.
Conducting active operations requires authorization from the minister of national defence and approval from the minister of foreign affairs (Communications Security Establishment Act, 30(2)). Defensive operations, which may be significantly similar in capability if not motivation, require authorization from the minister of national defence and consultation with the minister of foreign affairs (CSE Act, 29(2)).
It’s helpful to remember that neither of these ministers is responsible for federal policing in Canada, nor do they oversee the Canadian Security Intelligence Service (CSIS), which is responsible for investigating and reporting on activities that pose a threat to Canada. Put another way: the minister of public safety, whom most Canadians would presume is responsible for dealing with serious crime, isn’t in the formal loop when it comes to turning the CSE’s cyberpowers on criminals around the world.
This has the result of muddying the waters of when, and on what grounds, the federal government decides that the CSE is responsible for dealing with criminal behaviours, and the extent to which the CSE has any actual (if not legally required) obligations to work with either the RCMP or CSIS in crafting its offensive or defensive cyber operations.
So what can we make of the CSE’s working to “impose costs” on cybercriminals?
First, the CSE’s imposition of costs on cybercriminals is extra-judicial in nature. These powers are not necessarily used following a formal investigation by the RCMP and conviction of an offender in a court of law. Instead, the CSE’s crime-fighting activities can occur after being condoned by at least a pair of ministers and their staff, and on the basis that they do not believe that the reduction in criminal behaviours could be reasonably achieved by other means (CSE Act, 34(3)). Neither the courts nor Public Safety Canada are necessarily involved in the decision.
Second, even in the debates surrounding the new powers that the CSE is now using, there was little time spent on how the CSE would target criminal infrastructure. Members of Parliament and the public were not involved in a meaningful discussion about when the CSE would become a de facto cybersheriff, let alone the CSE taking it upon itself to punish criminals abroad. That’s not good because it means that MPs cannot really see themselves as having created or passed a law that has led to the CSE’s recent crime-fighting activities, with the broader effect of calling into question the legitimacy (if not the lawfulness) of the CSE’s activities.
Third, the opacity surrounding the CSE’s activities leaves it unclear whether the federal government will be deploying its new “sword” with any frequency, or if a set of triggers must be met before unsheathing it. Will the CSE choose to step in when it thinks that criminals are endangering the public, or when the RCMP passes on a particular case or investigation, or under some other set of conditions entirely? What is the actual role, if any, of the minister of public safety in these international activities? While there may be formal and top-secret protocols that dictate these interactions, Canadians deserve to understand how their government is operating.
Ransomware and other cybercrimes are serious and pressing issues that threaten residents of Canada on a daily basis. But Canadians deserve a government that is committed to addressing crimes through a transparent and legitimate process, and which includes the formalized involvement of the minister of public safety.
Government can’t just ignore due process when it’s inconvenient. As a democracy that prides itself on a high rule of law, Canada cannot slip toward a world where expediency wins over the correct process. Instead, the government must work toward strengthening transparency and accountability associated with government processes. Doing anything less will risk legitimizing the worst extra-judicial actions of authoritarian countries while simultaneously impeding Canada’s own ability to advocate for core democratic norms and principles domestically and abroad.