The federal government plans to provide further cybersecurity powers to the agency responsible for collecting foreign intelligence and providing cybersecurity services, the Communications Security Establishment (CSE). These powers are meant to enable the CSE to better understand and subsequently mitigate threats directed towards Canada’s critical infrastructure providers. On its face, that may sound like a good idea.
However, given that the CSE is obstinately impeding lawful reviews of its own activities, Canadian politicians should hesitate before placing further responsibilities – and powers – in the agency’s hands.
Nation-state actors are targeting Canadian critical infrastructure. We all rely on this infrastructure to live our lives, to communicate using telecommunications networks, to send and receive money through banking systems, or to travel using transportation systems. The CSE has stated repeatedly that nation-state adversaries are actively targeting critical infrastructure as part of espionage operations and also to prepare for potential attacks.
Critical infrastructure threats are real. Canadian health-care systems and hospitals have been shut down due to ransomware or unexplained attacks during the pandemic. Colonial Pipeline’s shutdown in the U.S. sent ripples across North America. Russia’s targeting of satellite infrastructure at the outset of its illegal war against Ukraine had international implications.
Partially to address these threats to critical infrastructure, the government introduced Bill C-26. The legislation would broadly enable the minister of industry to compel telecommunications providers to undertake security practices and would see the CSE obtain information about the security stances of critical infrastructure providers, as well as cyber incidents that have been detected by providers.
While the CSE has already worked with many critical infrastructure providers – meaning these providers are already sharing cybersecurity information with the CSE – the new legislation would cement that information-sharing in law.
That means a lot more information might flow into the CSE, including potentially private information relating to Canadians. To account for risks like this, Parliament created the National Security and Intelligence Review Agency (NSIRA), a watchdog agency meant to assess Canada’ national security and intelligence agencies. This includes reviewing the CSE’s activities. If C-26 passes, then NSIRA will also be responsible for reviewing how private organizations’ information is received and used by the CSE.
However, there’s a serious problem when it comes to reviewing the CSE’s activities. For two straight years, NSIRA has said it’s had problems getting access from the CSE to information that the watchdog uses to confirm the lawfulness of the CSE’s activities.
NSIRA said in its 2020 annual report that it was unable to appropriately access information held by the CSE. The report took the unusual step of discussing a range of possible ways of obtaining sufficient access to CSE information, so it could verify its accuracy and completeness.
Its 2021 annual report makes clear that things have not improved. According to the report, the CSE insists on determining internally what information is relevant, and then providing this selection of information to reviewers. This stands in contrast to how NSIRA’s authorizing legislation functions. The NSIRA Act makes clear that the watchdog can access any and all information that it deems relevant, regardless of what a reviewed agency such as the CSE considers appropriate.
Our newsletter about the public service.
Nominated for a Digital Publishing Award.
NSIRA needs either direct access to the CSE’s information it requires or alternately a way that it can otherwise independently verify the comprehensiveness and accuracy of the information that the CSE provides. This information is necessary for NSIRA to fulfill its lawful mandate and also to prove to Canadians that the highly secretive national security agency is complying with the law.
So, what does this mean for cybersecurity and critical infrastructure? It means that absent a major change in the CSE’s approach to review, NSIRA may be challenged in reviewing the nature of the information that the CSE receives from critical infrastructure providers as a result of Bill C-26, and how that information is then used. To underscore the risk, when NSIRA requested that the CSE provide information and statistics about its pre-C-26 cybersecurity activities for its 2021 annual report, the CSE declined to do so.
Trusting and empowering a top-secret agency such as the CSE to defend and enhance our security doesn’t mean giving it a blank cheque. It has to adhere to the law, including the law which empowers its reviewers to assess any and all of the CSE’s work that reviewers – not the CSE – believe is relevant.
Review can be painful because it can expose mistakes, but mistakes are frankly normal when dealing with the vast amounts of data that the CSE deals with regularly. What’s important is that these errors are identified and corrected as quickly as possible. CSE’s obstinacy impairs this identification and correction process.
As Bill C-26 winds its way through Parliament, legislators should carefully consider what new powers are appropriate to add to the CSE’s already overflowing basket, especially as the CSE experiences growing pains in getting used to being reviewed, as is required under Canadian law. Maybe the powers in C-26 should be conditional on NSIRA being able to conduct reviews and, when they are impeded, the chief of the CSE and the responsible minister should be compelled to appear before a Commons committee to explain the CSE’s failures.
Or perhaps executive pay within the CSE should be linked to enabling independent verification of the CSE’s activities. Regardless of the method, it is now time for the public, Parliament and the government to carefully assess how to ensure that the CSE is operating within the four corners of the law.