House standing committee on national defence (NDDN): November 21, 2024

Table of contents

• Appearance details
• Key highlights and prep material
  • Page proofs
  • Key topics and media lines
• Issue notes
  • Supplementary estimates B overview note
  • Top cybersecurity points
  • Chronology of events
  • Motion of Privilege - Cyber attack against Members of Parliament (MPs)
  • Cyber security and cyber capabilities within DND/CAF and CSE
  • Foreign interference and the democratic process
  • Defence Policy Update
  • Emerging technology
  • Accountability, review, and oversight
  • National Cyber Threat Assessment (NCTA) 2025-2026
  • Indian foreign interference
  • COMSEC and satellites
  • Arctic defence and sovereignty

Appearance details

Date: November 21, 2024

Location: Room 025-B, West Block

Time: 8:15 am to 10:15 am

Appearing:

• The Honourable Bill Blair
  Minister of National Defence
• Caroline Xavier
  Chief, Communications Security Establishment (CSE)
• Hughes St-Pierre
  Chief Financial Officer, Communications Security Establishment
• Stefanie Beck
  Deputy Minister, Department of National Defence
• Jonathan Moor
  Chief Financial Officer, Department of National Defence
• Nancy Tremblay
  Assistant Deputy Minister, Material, Department of National Defence
• Lieutenant-General Stephen Kelsey
  Vice Chief of the Defence Staff, Canadian Armed Forces

Details:
The Minister of National Defence will appear alongside senior departmental officials to speak on the Supplementary Estimates B 2024-25.

Key highlights and prep material

Page proofs

Supplementary Estimates (B), 2024-25 Annex

Items for inclusion in the Proposed Schedules to the Appropriation Bill

Supplementary Estimates (B), 2024-25

Supplementary Estimates (B), 2024-25
Budgetary expenditures by standard object

This table shows the forecast of total expenditures by Standard Object, which includes the types of goods or services to be acquired, or the transfer payments to be made and the funds to be credited to the vote.

Definitions of standard objects available at: http://www.tpsgc-pwgsc.gc.ca/recgen/pceaf-gwcoa/2425/7-eng.html

Horizontal items

The items listed in this table are horizontal initiatives and other jointly funded items. Both types of horizontal items generally involve two or more organizations with a formal funding agreement (e.g. Memorandum to Cabinet or Treasury Board submission). Through horizontal initiatives, the organizations work in partnership toward the achievement of shared outcomes. In jointly funded items, organizations receive incremental funding, and each independently contributes to the realization of the stated objective(s).

Key topics and media lines

Key topics - high-level

• CSE’s 2024-25 Main Estimates are $1,041.7M, a net funding increase of $75.8M from the 2023-24 Main Estimates of $965.9M.
• CSE’s 2024-25 Supplementary Estimates B represent a net funding increase of $58.9M.

Recruitment and retention

• CSE an employer of choice – we are fortunate that many talented people choose to work with us. Each year CSE receives on average, 10,000 to 15,000 applications from applicants with diverse skill sets and cultural backgrounds.
• Over the past several years, CSE has experienced continued and sustained growth. We believe that this growth, combined with our comparatively low attrition rate reflects the positive work environment, employee development and support programs we have in place.
• CSE has also been recognized as a Top Employer in 2020, 2021, 2022, and 2023, as well as one of Canada’s Top Employer for Youth for the past 8 years in a row.
• CSE has a very low attrition rate, but we do have employees who choose to pursue opportunities outside the CSE. No organization has a zero percent attrition rate, nor would they want it. We value the contribution of all employees; no matter how long they stay with us.
• CSE employees are amongst the smartest and most talented people in their fields. Their unique skillsets are in high demand and there are opportunities for them outside of CSE.
• There was a slight rise in the number of employees leaving during and post-pandemic, but our overall numbers are still very low.

Facts

• Since 2014, CSE and the Government of Canada have officially attributed 13 cyber incidents to nation-state and state-affiliated actors.
• Over the 2023-24 fiscal year, CSE grew its workforce by 9 percent to 3,529 full-time, permanent employees [CSE annual report 2023-2024].

Budget reductions

• CSE will contribute $20.0M ongoing by FY2026-27 to TBS’ budget reduction effort.
• Reductions will be achieved through efficiencies in operating and salary expenditures without affecting operational priorities.
• CSE has examined the years ahead and has developed a strategy to meet the spending reductions outlined by TBS.
• CSE is committed to meeting spending reductions while still delivering its mission. CSE is carefully analyzing the areas that could be reduced with the least operational impact.

Contracting

• CSE does not publicly disclose information pertaining to contracts with vendors for National Security reasons. Furthermore, we do not disclose detailed information about our workforce.
• The information would provide hostile actors insights that could be used to compromise CSE operations and defences.
• That said:
  • CSE is an organization largely made up of IT experts which reduces our need for contracted resources.
  • CSE employees have an obligation under the Ethics Charter to declare any conflicts of interest.
  • We have a robust internal regime for the disclosure, prevention and management of any situation that would give rise to concerns related to conflicts of interest.
  • CSE has a Contract Review Committee and constantly reinforces its contracting processes based on guidance provided by PSPC, the OAG and Central Agencies.

Fraudulent billing

• A PSPC administrative investigation uncovered a number of fraudulent billing schemes.
• As of November 6, 2024, PSPC has now referred a total of seven cases to the Royal Canadian Mounted Police (RCMP) for criminal investigation.
• CSE is one of the impacted federal organizations ($328K).
• CSE continues to work closely with PSPC on this matter.
• CSE takes contracting very seriously, including our responsibility as stewards of public funds. We constantly review and reinforce appropriate internal controls aligned with the best practices set out for the Government of Canada.
• CSE is not in a position to share more information than is already in the public domain.

Cyber defence

• The Government of Canada deals with ongoing and persistent cyber risks and threats every day. These threats are real, they are sophisticated, and they continue to evolve.
• CSE is always monitoring for cyber threats and as the threat landscape changes and will continue to assess its requirements.
• Although CSE generally does not comment on cyber incidents, I can assure the committee members that we are working with our federal partners, including smaller departments and agencies, to make them aware of the threats and remind them of cyber security best practices.
• The government has systems and tools in place to monitor threats, and CSE continues to use all the resources at its disposal to protect the GC from these evolving threats.
• For example, CSE’s Cyber Centre uses sensors, which are software tools installed in partner IT systems, to detect malicious cyber activity on government networks, systems, and cloud infrastructure.
  • Last year, our automated defences protected the Government of Canada from 2.4 trillion malicious actions, an average of 6.6 billion a day.
• CSE works with departments including SSC, TBS, Public Safety, the RCMP, CSIS), and the Department of National Defence (DND) on a number of cyber security issues.
• Cyber defence is the responsibility of all GC departments and agencies. We continue to work together to ensure we can detect and investigate potential threats, and take active measures as required.

Issue notes

CSE overview note - Supplementary Estimates (B) 24-25

Speaking notes

• The Communications Security Establishment (CSE) is one of Canada’s key security and intelligence agencies and the lead federal technical authority for cyber security.
• CSE provides valuable foreign intelligence to inform the Government of Canada’s decision making and protect national security.
• Its sophisticated cyber and technical expertise helps identify, prepare for, and defend against threats to Canada and its cyber systems and networks.
• While conducting these activities, CSE respects the highest standards of lawfulness, ethics, values, and the protection of Canadians’ privacy.
• CSE’s 2024-25 Supplementary Estimates (B) represent a net funding increase of $58.9M, including Employee Benefit Plan (EBP) costs.

Details

• The increase in CSE’s Main Estimates can be attributed to:
  • Treasury Board Submission funding of $49.1M (including $0.6M for EBP) to ‘Invest in Canada as an Effective Cyber Power’.
• A net funding increase of $9.9M resulting from five interdepartmental transfers:
  • Transfer of $9.9M from Department of National Defence for information management and information technology support services.
  • Transfer of $3.1M from Shared Services Canada for the operation of the Secure Communications for National Leadership Program (SCNL).
  • Transfer of $2.2M to GAC in support of cyber security services for Ukraine.
  • Transfer of $738K to Global Affairs Canada (GAC) to support CSE staff located at liaison offices abroad; and
  • Transfer of $150K to Employment and Social Development to support Policy Horizons Canada.

Background

Treasury Board Submission funding of $49.1M (including $0.6M for EBP) to ‘Invest in Canada as an Effective Cyber Power’.

• This investment will enhance CSE’s ability to protect Canada’s economic security, defend democratic processes, and advance Canada’s international affairs, defence, and security interests.

A net funding increase of $9.9M resulting from five interdepartmental transfers.

• Transfer of $9.9M from Department of National Defence for information management and information technology support services.
• Transfer of $3.1M from Shared Services Canada for the operation of the Secure Communications for National Leadership Program (SCNL).
  • This program will help to provide secure mobile phone capabilities for Ministers and senior officials. The SCNL is a joint PCO, CSE and SSC initiative that enables a modern, mobile and secure means of communications for Ministers and senior officials classified up to SECRET.
• Transfer of $2.2M to GAC in support of cyber security services for Ukraine.
• Transfer of $738K to Global Affairs Canada (GAC) to support CSE staff located at liaison offices abroad.
  • GAC is a common service provider for Government of Canada operations abroad and receives compensation for the increased cost of operations resulting from staff being posted at Canadian missions and liaison offices by other government departments.
• Transfer of $150K to Employment and Social Development to support Policy Horizons Canada.
  • Policy Horizons Canada is the Government of Canada’s centre of excellence in foresight. Policy Horizon Canada’s goal is to empower the Government of Canada with a future-oriented mindset and outlook to strengthen decision making.

Top cybersecurity points

• Cyber security is a foundation for Canada’s future, for our digital economy, our personal safety, and national prosperity and competitiveness.
• Every day, the Communications Security Establishment (CSE) uses its sophisticated cyber and technical expertise to help monitor, detect, and investigate threats against Canada’s information systems and networks, and to take active measures to address them.
• CSE’s Canadian Centre for Cyber Security (Cyber Centre) is Canada’s technical and operational authority on cyber security. As part of CSE, it provides leading-edge advice and services to help prevent cyber incidents and keep critical services up and running, including by using sensors to detect malicious cyber activity at the host, cloud, and network levels.
• The Cyber Centre’s mandate covers federal institutions and systems of importance, which include critical infrastructure. Under the CSE Act, the Cyber Centre can also assist any other entity designated by the Minister of National Defence as being of importance to the Government of Canada. Examples last year include providing cyber defence services to the territories and cyber security assistance to Ukraine and Latvia
• Recent and ongoing geopolitical events and incidents of cybercrime have elevated the potential risk of cyber threats. CSE continues to publish advice and guidance to help all sectors protect themselves from cyber threats. It works with industry partners, including government and non-government partners, to share threat information and cyber security best practices.
• If Canadian companies have been impacted by cyber threats, they are urged to contact the Cyber Centre toll free at 1-833-CYBER-88, by email contact@cyber.gc.ca or visit https://www.cyber.gc.ca/en/incident-management.
• Bill C-26 (An Act Respecting Cyber Security), currently before the Senate, is a critical next step that provides the government with new tools and authorities to better bolster defences, improve security across critical federally regulated industry sectors, and protect Canadians and Canada’s critical infrastructure from cyber threats.
• Cyber security matters to all of us, and the federal government works together with other jurisdictions, organizations, as well as critical infrastructure network defenders to raise Canada’s cyber security bar.
• If Canadian companies have been impacted by cyber threats, I urge them to contact the Cyber Centre toll free at 1-833-CYBER-88, by email contact@cyber.gc.ca or report an incident through the Cyber.gc.ca website.

Background

• CSE utilizes its mandate to reduce the impact of cybercrime on Canadian businesses, organizations, and individuals.
• Ongoing efforts include:
  • collecting intelligence on cybercrime groups
  • enhancing cyber defences to protect critical systems against cybercrime threats
  • advising Canadian critical infrastructure providers on how to protect themselves against cybercrime; and
  • using active cyber operations capabilities (ACO) to disrupt the activities of cybercrime groups.
• In addition, working with Canadian and allied partners, CSE has conducted ACO to reduce the ability of cybercrime groups to:
  • target Canadians, Canadian businesses and institutions
  • launch ransomware attacks
  • solicit, buy and sell cybercrime goods and services
• These operations imposed costs on cybercrime groups by making their activities more difficult and less profitable. The aim is to deter future cybercrime attempts on Canadian targets.

Chronology of events

Email tracking link campaign targeting Canadian Parliamentarians

The Communications Security Establishment Canada (CSE) has determined that cyber threat activity by the People’s Republic of China (PRC) outpaces cyber threats from other nation states in volume, sophistication and breadth of targeting. The Canadian Centre for Cyber Security (Cyber Centre), a part of CSE, has observed widespread targeting by the PRC. This activity poses a serious threat to Canadian entities across a range of sectors and has targeted:

• all branches of government
• non-government organizations, academia and research institutions
• critical infrastructure
• industry, including the Canadian research and development sector

When the Cyber Centre identifies cyber threat activity targeting a Canadian or a Canadian organization, it shares this information with the system owner to assist them in identifying and mitigating the threat and notifying affected users, as required.

In January 2021, the Cyber Centre informed House of Commons (HoC) IT security officials of spearphishing activity targeting parliamentary email accounts. These spear-phishing emails try to get the recipient to open an email that contains an embedded image (i.e., tracking link) that connects to a threat actor–controlled server. This allows the threat actor to confirm the validity of the targeted email addresses and gather preliminary data about the users, such as basic device and local network information. These emails can be a precursor to follow-on activity from the threat actor.

From January to April 2021, the Cyber Centre and the Canadian Security Intelligence Service (CSIS) met with HoC IT security and CSE shared at least 12 reports that contained technical indicators of compromise affecting HoC IT systems. In November 2021, CSIS issued a classified Analytical Brief to 35 GC clients on the topic of APT31’s tracking link campaign targeting members of the Inter-Parliamentary Alliance on China (IPAC). In June 2022, the Federal Bureau of Investigation (FBI) released a report to CSE and CSIS detailing a PRC tracking link campaign, which included this HoC activity.

Below is the chronology of actions taken by the Cyber Centre and CSIS to notify and aid HoC officials in their detection and mitigation efforts.

Note: The Cyber Centre has shared reporting related to tracking links targeting parliamentarians with the HoC and CSIS since at least late 2018.

Chronology of events

January 22, 2021

• The Cyber Centre Incident Handler issues a report to the HoC IT Security Mailbox, indicating that emails containing tracking links were sent to users with @parl.gc.ca and @sen.parl.gc.ca email addresses.
  • Only technical details associated with the network traffic were available.

January 25, 2021

• The HoC Senior IT Security Analyst acknowledges receipt of the January 22 report.
  • The HoC did not provide any additional feedback.

January 29, 2021

• The Cyber Centre Incident Handler follows up with the HoC IT Security Mailbox to request feedback on the January 22 report.

February 3, 2021

• The Cyber Centre Incident Handler follows up to request feedback on January 22 report.
  • The HoC Senior IT Security Analyst responded to the Cyber Centre Incident Handler and indicated that the issue was handled internally.

February 17, 2021

• The Cyber Centre Incident Handler issues a second report to the HoC IT Security Mailbox, indicating that sophisticated actors were conducting network reconnaissance of devices known to connect to the HoC virtual private network (VPN).
  • On March 1, HoC Director, IT Security, informed the Cyber Centre Incident Handler that at least one IP address was associated with the home network of an undisclosed HoC user and that the HoC was able to obtain two devices for analysis.
  • On March 5, the Cyber Centre Incident Handler made a request to HoC Director, IT Security, to perform a forensic analysis on the devices to validate that no malicious activity occurred. The HoC did not provide the devices to the Cyber Centre.

February 17, 2021

• HoC Director, IT Security, and representatives from CSIS and the Cyber Centre meet to discuss further collaboration on the incident.
  • HoC Director, IT Security, provided the Cyber Centre’s Incident Management team with a printed document containing a sample malicious email and the names of eight MPs who were intended recipients of malicious emails.
  • According to the document, the HoC assessed at the time that the emails did not reach the intended HoC recipients. However, the HoC indicated that some recipients may have received similar messages on their personal email addresses.

February 18, 2021

• A Cyber Triage Unit (CTU) meeting is held between CSIS and the Cyber Centre to discuss the combined response efforts of each organization.
  • It was decided that CSIS would engage with the HoC. The Cyber Centre Incident Management team provided CSIS with a list of technical questions to aid in analyzing the suspicious activity.

February 18, 2021

• The Cyber Centre Incident Handler issues a third report to the HoC, identifying further network domain name system (DNS) traffic of concern.

February 19, 2021

• CSIS and the Cyber Centre meet with HoC Director, IT Security, to discuss the scope of the incident and possible forensic analysis.

February 22, 2021

• CSIS and the Cyber Centre meet with HoC Director, IT Security for a follow-up to the 19 February meeting
  • HoC Director, IT Security, stated that the HoC team had spent a substantial amount of time looking into the incident after the 19 February meeting. HoC Director, IT Security, provided forensic data to CSIS and gave permission for Cyber Centre personnel to make a copy, which was done at the conclusion of the meeting.

February 23, 2021

• A CTU meeting is held between CSIS and the Cyber Centre.
  • Following the meeting, the Cyber Centre Incident Handler provided further follow-up questions for CSIS to relay to the HoC to help with the investigation.

February 24, 2021

• A CTU meeting is held between CSIS and the Cyber Centre to establish a framework for joint engagements with the HoC.
  • Following the meeting, the Cyber Centre Incident Handler provided their investigative follow-up questions from February 23 directly to HoC Director, IT Security, and requested copies of the actual emails identified in the list. HoC Director, IT Security, did not provide the emails.

February 24, 2021

• The Cyber Centre Incident Handler issues a fourth report to the HoC IT Security Mailbox, indicating that sophisticated actors were scanning IP addresses that may be associated with HoC devices.
• The Cyber Centre issues a fifth report to the HoC, indicating that between February 23 and 24, 2021, network DNS traffic was observed going to a previously reported domain at HoC. 

February 26, 2021

• The Cyber Centre Incident Handler receives an email from HoC Director, IT Security, indicating that more emails and shared metadata for 41 emails had been sent to 13 MPs between January 21 and 28, 2021. Of those emails, 31 were either read or inadvertently opened.
  • Of the 13 MPs named in this email, 7 were also named in the report shared by HoC Director, IT Security, at the February 17 meeting, bringing the total number of MPs known to have received malicious emails to 14.
  • In this same email, HoC Director, IT Security, noted that, on February 10, 2021, the Senate provided information on a malicious email they received (no additional information).

March 1, 2021

• In response to a Cyber Centre request for clarification on the number of Senate users who may have received these emails, HoC Director, IT Security, indicates that they identified two suspicious emails that had been sent to Senate clients.
  • Upon receiving notification from the HoC, the Senate provided the HoC with a sample email and reported that the “emails themselves were permanently deleted by vigilant clients who received them.”

March 3, 2021

• The Cyber Centre Incident Handler issues a sixth report to the HoC, containing suspicious IP addresses connecting to HoC email servers.

March 9, 2021

• The Cyber Centre Incident Handler issues a seventh report to the HoC IT Security Mailbox, indicating that infrastructure used by a sophisticated actor was connecting to mail servers belonging to both the Senate and the HoC.

March 17, 2021

• The Cyber Centre Incident Handler issues an eighth report to the HoC IT Security Mailbox, indicating that on March 11, 2021, a device at the HoC connected to suspected malicious command and control (C2) infrastructure.
  • The HoC IT Security Analyst responded that the implicated device was a personal device on a portion of HoC’s network intended for personal devices, and that the device had not been detected inside the office network.
  • On March 29, the Cyber Centre Incident Handler asked the HoC IT Security Analyst for further technical and contextual information to better assess the situation. The HoC IT Security Analyst acknowledged the request, but never provided the requested information, despite an additional follow-up from the Cyber Centre Incident Handler on April 8.

March 23, 2021

• The Cyber Centre Incident Handler issues a ninth report to the HoC IT Security Mailbox, indicating that the Cyber Centre detected suspicious connections to HoC web portals.
  • HoC acknowledged receipt the same day.

March 30, 2021

• The Cyber Centre Incident Handler issues a tenth report to the HoC, identifying malicious network activity at HoC.
  • HoC acknowledged receipt the same day.

April 19, 2021

• The Cyber Centre Incident Handler issues an eleventh report to the HoC IT Security Mailbox, indicating that the Cyber Centre detected new activity, consisting of several IP addresses connecting to web portals at the HoC.
  • HoC acknowledged receipt the same day and requested additional technical context which was provided by Cyber Centre on April 20th

April 22, 2021

• The Cyber Centre Incident Handler issues a twelfth report to the HoC IT Security Mailbox, indicating that the same device identified in the Cyber Centre’s report from March 17, 2021, was suspected to be infected with malware and was connecting to suspected malicious C2 infrastructure.
  • HoC confirmed receipt and indicated they were investigating the issue; however no additional feedback was received.

April 29, 2021

• CSIS meets with HoC Director, IT Security, and provides method for identifying other possible targets of tracking emails.

June 3, 2021

• CSIS meets with HoC Director, IT Security. CSIS conveys that all targeted Parliamentarians were members of IPAC and provides HoC Director, IT Security, with a full list of the Canadian Parliamentarians who were members of IPAC.
  • HoC agreed to conduct further searches of the additional names in HoC logs for evidence of additional targeting. HoC Director, IT Security reiterated that any such tracking link emails sent to the HoC network would have been undeliverable.

July 29, 2021

• CSIS meets with HoC Director, IT Security, to discuss previously disclosed forensic analysis and provide CSIS' analysis of the information provided by the HoC.

November 19, 2021

• CSIS issues a classified Analytical Brief to 35 GC clients on the topic of APT31's tracking link campaign targeting members of IPAC.

June 29, 2022

• The Cyber Centre and CSIS receive an FBI report detailing a PRC tracking link campaign, which the FBI attributed to APT31, targeting 406 unique email addresses of individuals around the world, including individuals who have been outspoken on topics relating to the activities of the Chinese Communist Party.
  • The report included 20 email addresses believed to have been targeted in January 2022, 19 of which were @parl.gc.ca or @sen.parl.gc.ca email addresses.
  • Of the 19 email addresses identified, 14 had been disclosed to the Cyber Centre by HoC Director, IT Security, on February 17, 2021 and February 26, 2021.

June 30, 2022

• The Cyber Centre Incident Handler shares the details of the FBI report with the HoC IT Security Mailbox, following deconfliction with CSIS.
  • The Cyber Centre noted that the activity was associated with a sophisticated threat actor and included a description of the techniques that had been used, the malicious indicators, the named MPs and senators, and advice on technical mitigation.
  • On July 4, 2022, the HoC IT Security Analyst responded to the Cyber Centre Incident Handler and indicated that the only activity they had found dated back to January 2021.
  • On July 21, 2022, the FBI confirmed to the Cyber Centre Incident Management Team that the activity noted in their June 2022 report had occurred in January 2021. This indicated that the FBI report described the same activity that CSIS and the Cyber Centre reported on and shared with the HoC in January 2021.

July 14, 2022

• The Cyber Centre publishes a classified threat assessment entitled "Revisiting PRC Email Operations against Canadian Parliamentarians".

July 20, 2022

• The Cyber Centre publishes a classified threat assessment about APT31 activity against the Government of Canada observe between June to September 2021.

July 22, 2022

• The Cyber Centre publishes a classified threat assessment focusing on how the very high volume of PRC cyberespionage has been difficult to defend against.

December 19, 2022

• Cyber Centre publishes a threat assessment entitled "PRC Email Operations against Canadians".

August 25, 2023

• CSIS issues a classified Intelligence Assessment to relevant GC clients that references APT31's 2021 tracking link campaign targeting members of IPAC.

CSE cyber defence tools for HoC systems

2016

• Initial discussions between CSE and the HoC begin on the full suite of specialized cyber defence tools that CSE offers to Government of Canada departments and agencies.

2018

• The HoC adopts the Cyber Centre’s network-based protections.

2020

• The HoC implements the full suite of Cyber Centre tools.
  • These tools were and remain a vital component in protecting the Government of Canada’s IT systems.

2022

• In October, the HoC expands Cyber Centre suite of tools coverage.

Motion of Privilege - Cyber attack against Members of Parliament (MPs)

• The Government of Canada takes its responsibility very seriously to safeguard Canada’s democratic institutions.
• Pursuant to the CSE Act, the Communications Security Establishment Canada (CSE) and its Canadian Centre for Cyber Security (Cyber Centre) share intelligence and information with government clients, including appropriate authorities in Parliament.
• The House of Commons (HoC) and Senate are independent, and their officials are responsible for determining when and how to directly engage with MPs and Senators in situations like this.
• CSE continues to monitor GC networks and systems of importance for cyber threats. CSE is working in close coordination with government partners, including relevant security agencies.
• CSE has been fully transparent in this matter and is adhering to the motion passed at the Committee on Procedure and House Affairs (PROC) which includes appearances and the production of papers. CSE understands the importance of this motion and is working diligently to comply with the Committee’s motion.
• In the case of the email tracking link campaign targeting Canadian parliamentarians, CSE and other security agencies received the report from the FBI in June 2022.
• CSE immediately shared the information, including the names of the targeted parliamentarians, with the HoC.
• This was specific, actionable technical information on this threat, shared with HoC IT officials.
• This is the normal process with other Government of Canada partners when threats are detected.
• CSE’s engagement with the HoC started well before receiving the FBI report in question. CSE had been helping the HoC to take quick and appropriate measures within their systems to protect their network and users against this and other threats.
• It’s important to add that, though it may not always be public, CSE has and will continue to take a range of measures to protect MPs and Senators, including remaining in regular contact with the House of Commons officials.

Background

How CSE protects the democratic process:

• CSE helps to protect Canada’s democratic process by:
  • providing foreign signals intelligence to Government of Canada decision-makers about the intentions, capabilities, and activities of foreign-based threat actors.
  • defending Canada’s federal elections infrastructure from malicious cyber activity.
  • proactively helping democratic institutions improve their cyber security.
  • sharing unclassified threat assessments with the public.
  • sharing information to help Canadians identify disinformation.
• To support Parliamentarians, the Cyber Centre, a part of CSE, provides a 24/7 hotline service offering direct support in the event of a cyber incident. The Cyber Centre has provided cyber threat briefings to political parties as well as a dedicated point of contact at the Cyber Centre for assistance with cyber security matters.
• In the run-up to both the 2019 and 2021 federal elections, the Minister of National Defence authorized CSE to conduct defensive cyber operations (DCO) to protect Canada’s election infrastructure from malicious cyber activity if needed. In the event, no activities took place that would have required a DCO response.
• CSE’s Cyber Centre works closely with Elections Canada, elections authorities and political parties on cyber security preparedness. This includes offering briefings, training resources, consultations, tailored advice and cyber security services.
• The Cyber Centre has an ongoing relationship with Elections Canada, which includes:
  • monitoring services to detect cyber threats.
  • working with them to secure their computer networks.
  • incident response assistance, if necessary.
• Provincial and territorial (PTs) elections authorities can take advantage of services the Cyber Centre provides to critical infrastructure partners, such as:
  • cyber alerts (including mitigation steps)
  • malware analysis
  • cyber incident advice and support
• In the event a federal election is called, the Cyber Centre is ready to stand up a dedicated hotline for federal political parties offering 24/7 cyber security technical support.
• Outside of election periods, the Cyber Centre has a dedicated point of contact political parties can reach out to on cyber security matters.
• Elections Canada will be able to rely on existing channels of communication with the Cyber Centre’s democratic institutions team.

State-sponsored Actors Targeting Parliamentarians (APT31)

• 19 Canadian members of the Inter-Parliamentary Alliance on China (IPAC) were notified by the Executive Director in April 2024 they had been targeted by a Chinese state-sponsored cyber actor. This information was based on an FBI report that assessed IPAC members were targeted by Advanced Persistent Threat actor (APT) 31.
• The FBI report was received by Canada’s security agencies, and the information that included the names of the targeted parliamentarians was shared in 2022.
• CSE shared specific, actionable technical information on this threat with HoC officials, as would be our normal process with other Government of Canada partners when threats are detected.
• This engagement with the HoC started well before receiving the FBI report in question, as we had been tracking and helping them to take quick and appropriate measures within their systems to protect their network and users against this, and other threats.
• Questions related to how MPs are engaged on situations like this would be best addressed by HoC officials.

Cyber capabilities within DND/CAF and CSE

• Potential adversaries are leveraging and developing cyber capabilities to exploit vulnerabilities in our cyber systems.
• The Communications Security Establishment Canada (CSE) employs sophisticated cyber tools and technical expertise to help identify, prepare for, and defend against cyber threats, as well as to impose costs on malign actors that seek to harm Canada’s information systems, networks, businesses, and institutions.
• CSE’s Canadian Centre for Cyber Security (the Cyber Centre) is Canada’s authority on cyber security. As a unified source of expert advice and guidance, CSE’s Cyber Centre leads the Government’s operational response to cyber incidents. The Cyber Centre also collaborates with the rest of government, the private sector and academia to strengthen Canada’s cyber resilience.
• Cyber operations capabilities are also a key element of military and state power, needed to deter and defeat external threats to Canada in times of peace and conflict.
• CSE and the Canadian Armed Forces (CAF) continue to work with domestic and international partners to support and build a stable cyberspace built on the respect for international law and the norms of responsible state behaviour in cyberspace.
  • Accordingly, CSE conducts joint cyber operations with the CAF to support mission objectives. Cyber operations capabilities are a key element of military and state power, needed to deter and defeat foreign-based threats to Canada in times of peace and conflict.
• The CAF contributes to international peace and security through cyber threat intelligence sharing with Allies and partners, and through the conduct of full spectrum cyber operations as authorized by the Government of Canada.
• Specifically, the CAF relies on the force multiplier effects of technology enabled communications, intelligence, and weapon systems, all of which must be secured and defended from cyber threats.
• Canada’s updated Defence Policy: Our North, Strong and Free announced commitments to improve the Canadian Armed Forces’ ability to conduct cyber operations.
• This includes establishing a Canadian Armed Forces Cyber Command, and a joint Canadian operations capability between CSE and the CAF.
• Strengthening the Canadian Armed Forces’ cyber resilience through the Cyber Mission Assurance Program, in partnership with CSE, the CAF will also establish a cyber security certification program to protect defence supply chains from cyber threats.

Quick facts

The CSE Act sets out five aspects of CSE’s mandate, which contributes to the lines of operations above. This includes:

• Cybersecurity and information assurance
• Foreign intelligence
• Defensive cyber operations
• Active cyber operations; and
• Technical and operational assistance

CSE may use defensive cyber operations to defend Canada against foreign cyber threats by taking online action. For example, CSE could prevent cyber criminals from stealing information from a Government of Canada network by disabling their foreign server. This authority can also be used to defend systems designated by the Minister of National Defence as being of importance to the Government of Canada, such as energy grids, telecommunications networks, healthcare databases, banking systems, and elections infrastructure.

Active cyber operations allow CSE to take online action to disrupt the capabilities of foreign threats to Canada, such as: foreign terrorist groups, foreign cyber criminals, hostile intelligence agencies, and state-sponsored hackers. Threats that CSE disrupts must relate to international affairs, defence or security.

CSE, supported by Global Affairs Canada and the CAF, has a proven track record that respects and reinforces Canada’s statement on international law and cyber norms.

CSE’s Canadian Centre for Cyber Security (the Cyber Centre) reminds the Canadian cybersecurity community, especially infrastructure network defenders, to be vigilant against sophisticated cyber threats.

Canadian Armed Forces cyber capabilities:

• Defensive cyber operations are employed to respond and/or counter a threat by an adversary in cyberspace, whereas offensive cyber operations are conducted to project power in, or through, cyberspace to achieve effects in support of military objectives.
• CSE and the CAF continue to develop and scale offensive and defensive cyber operations capabilities. This partnership enables Cyber operations and provides the Government of Canada flexibility in achieving strategic objectives.
• The Canadian Armed Forces holds the responsibility of safeguarding its military networks on a continuous basis, and actively cooperates with CSE and international partners to help protect joint critical networks among Allies and within NATO.

Background

CSE and its Canadian Centre for Cyber Security

• Cyber security is a foundation for Canada’s future, for our digital economy, our personal safety, and national prosperity and competitiveness.
• Every day, the Communications Security Establishment Canada (CSE) uses its sophisticated cyber and technical expertise to help monitor, detect, and investigate threats against Canada’s information systems and networks, and to take active measures to address them.
• Recent geopolitical events have elevated the potential risk of cyber threats, as outlined in the 2025-2026 National Cyber Threat Assessment.
• CSE continues to publish advice and guidance to help organizations be less vulnerable and more secure. It works with industry partners, including government and non-government partners, to share threat information and cyber security best practices.
• Cyber security is a whole-of-society concern, and the federal government works together with other jurisdictions, organizations, as well as critical infrastructure network defenders to raise Canada’s cyber security bar.
• If Canadian companies have been impacted by cyber threats, they are urged to contact the Cyber Centre toll free at 1-833-CYBER-88, by email contact@cyber.gc.ca or visit https://www.cyber.gc.ca/en/incident-management

 

Canadian Armed Forces and the Communications Security Establishment Cooperation

• The Canadian Armed Forces and CSE have a long history of partnership in the development of highly technical and specialized capabilities that support Canadian Armed Forces operations.
• These activities are subject to CSE’s rigorous system of internal policies and procedures as well as independent oversight and review.
• Cooperation between the Canadian Armed Forces and CSE ensures the best use of tools and capabilities, reduces unnecessary duplication of efforts, leverages each other’s authorities, and improves the chances of meeting mission objectives.

Authorizations and safeguards

• Cyber operations undertaken in support of government objectives will be pursuant to the CSE Act, and the Crown Prerogative and the National Defence Act, and will be consistent with Canada’s international legal obligations.
• CSE is prohibited by law from targeting the private information of Canadians or any person in Canada and must not infringe the Canadian Charter of Rights and Freedoms.
• Cyber operations conducted under CSE authorities require the Minister of National Defence to issue a Ministerial Authorization, which requires either consultation with the Minister of Foreign Affairs (for defensive cyber operations) or at the request of or with the consent of the Minister of Foreign Affairs (for active cyber operations).
• In conducting cyber operations, Canada recognizes the importance of adhering to international law and agreed norms of responsible state behaviour in cyberspace. Canada’s authorities and governance framework to conduct cyber operations is supported by a strong independent review process, as well as internal oversight for operational compliance.
• Foreign cyber operations are further subject to proven checks and balances such as rules of engagement, targeting and collateral damage assessments.

Cyber operations

• Strong, Secure, Engaged (SSE) committed the Canadian Armed Forces to assuming a more assertive posture in the cyber domain by hardening its defences, and by conducting offensive cyber operations against potential adversaries as part of government-authorized military missions.
• The CSE Act authorizes CSE to carry out 2 different types of foreign cyber operations: active and defensive. Both types of operations involve taking action in cyberspace to disrupt foreign-based threats to Canada.
• Defensive cyber operations (DCO) can be used to help protect systems of importance and federal institutions during major cyber incidents when cyber security measures alone are not enough.
• Active cyber operations (ACO) can be used proactively to disrupt foreign-based threats to Canada’s international affairs, defence or security interests.

Canadian Armed Forces cyber operator

• SSE directed the creation of the Canadian Armed Forces Cyber Operator occupation. This trade includes both Reserve and Regular Force members who conduct both defensive and offensive cyber operations with the goal of supporting operational objectives and delivering tactical effects.

Cyber mission assurance program

• Strong, Secure, Engaged (SSE) directed the creation of the Cyber Mission Assurance Program. It is part of the cyber capability to protect critical military networks and equipment from cyber threats. Platforms like aircraft, ships, and vehicles are becoming increasingly dependent on cyberspace. The Cyber Mission Assurance Program ensures that cyber resilience is a primary consideration when new equipment is procured.
• Cyber threats pose unique challenges in projecting and sustaining military power. The changing global environment and the increasing dependence on cyberspace technologies demands a significant change in our culture. The introduction of cyber-resiliency mindset in all our activities is required for the CAF to maintain its competitive advantage. The Cyber Mission Assurance Program focuses on managing the risks associated with cyber threats, to improve resilience, and increase the probability of mission success.

Foreign interference and the democratic process

• The global cyber threat landscape is expanding and becoming ever more complex with a growing cast of malicious and unpredictable state and non-state cyber threat actors, from cybercriminals to hacktivists, that are targeting our critical infrastructure and endangering our national security.
• The cyber programs of the People’s Republic of China (PRC), Russia, and Iran remain the greatest strategic cyber threats to Canada. The PRC’s cyber program surpasses other hostile states in both the scope and resources dedicated to cyber threat activity against Canada.
• The Communications Security Establishment Canada (CSE) and its Canadian Centre for Cyber Security (Cyber Centre) play key roles in monitoring and defending against foreign efforts to interfere in Canada’s affairs.
• Pursuant to the CSE Act, CSE and its Cyber Centre share intelligence and information with government clients, including appropriate authorities in Parliament.
• CSE continues to monitor GC networks and systems of importance for cyber threats. CSE works in close coordination with government partners, including relevant security agencies.
• CSE helps to protect Canada’s democratic process by:
  • providing foreign signals intelligence to Government of Canada decision makers about the intentions, capabilities, and activities of foreign-based threat actors;
  • defending Canada’s federal elections infrastructure from malicious cyber activity;
  • proactively helping democratic institutions improve their cyber security;
  • sharing unclassified threat assessments with the public; and,
  • sharing information to help Canadians identify disinformation.
• To support Parliamentarians, the Cyber Centre, a part of CSE, provides a 24/7 hotline service offering direct support in the event of a cyber incident. The Cyber Centre has provided cyber threat briefings to political parties as well as a dedicated point of contact at the Cyber Centre for assistance with cyber security matters.
• In the run-up to both the 2019 and 2021 federal elections, the Minister of National Defence authorized CSE to conduct defensive cyber operations (DCO) to protect Canada’s election infrastructure from malicious cyber activity if needed. In the event, no activities took place that would have required a DCO response.
• CSE’s Cyber Centre works closely with Elections Canada, elections authorities and political parties on cyber security preparedness. This includes offering briefings, training resources, consultations, tailored advice and cyber security services.
• The Cyber Centre has an ongoing relationship with Elections Canada, which includes:
  • monitoring services to detect cyber threats;
  • working with them to secure their computer networks; and,
  • incident response assistance, if necessary.
• Provincial and territorial elections (PTs) authorities can take advantage of services the Cyber Centre provides to critical infrastructure partners, such as:
  • cyber alerts (including mitigation steps);
  • malware analysis; and,
  • cyber incident advice and support.

Background

Communications Security Establishment Canada:

• The Communications Security Establishment Canada (CSE) is Canada’s centre of excellence for cyber operations. As one of Canada’s key security and intelligence organizations, CSE protects the computer networks and information of greatest importance to Canada and collects foreign signals intelligence.
• CSE also provides assistance to federal law enforcement and security organizations in their legally authorized activities, when they may need CSE’s unique technical capabilities.

State-sponsored Actors Targeting Parliamentarians (APT31):

• 18 Canadian members of the Inter-Parliamentary Alliance on China (IPAC) were notified by the Executive Director in April 2024 they had been targeted by a Chinese state-sponsored cyber actor. This was information was based on a FBI report that assessed IPAC members were targeted by Advanced Persistent Threat actor (APT) 31.
• The FBI report was received by Canada’s security agencies, and the information that included the names of the targeted parliamentarians was shared in 2022.
• CSE shared specific, actionable technical information on this threat with House of Commons (HoC) officials, as would be our normal process with other Government of Canada partners when threats are detected.
• This engagement with the HoC started well before receiving the FBI report in question, as we had been tracking and helping them to take quick and appropriate measures within their systems to protect their network and users against this, and other threats.
• Questions related to how MPs are engaged on situations like this would be best addressed by HoC officials.
• The House of Commons and Senate are independent, and its officials are responsible for determining when and how to directly engage with MPs and Senators.

National Cyber Threat Assessment 2025-2026

• On October 30, 2024, the Canadian Centre for Cyber Security (Cyber Centre) released its National Cyber Threat Assessment 2025-2026 (NCTA 2025-2026). As with previous assessments, it provides a snapshot of cyber threats affecting Canada and Canadians and forecasts how they may evolve in the coming years. The Cyber Center’s flagship report helps build Canada’s resilience to cyber threats.

Key findings:

• Canada is confronting an expanding and complex cyber threat landscape with a growing cast of malicious and unpredictable state and non-state cyber threat actors. Canada’s state adversaries are using cyber operations to disrupt computer networks and conduct online information campaigns to divide our society.
• Cybercrime remains a persistent, widespread and disruptive threat to individuals, organizations and all levels of government across Canada.
• Ransomware is the top cybercrime threat facing Canada’s critical infrastructure.
• The Cybercrime-as-a-Service (CaaS) business model is almost certainly contributing to the continued resilience of cybercrime in Canada and around the world.
• Well-known state adversaries continue to use sophisticated, active programs against Canada and our allies to serve their own political, economic, or military objectives.
• The cyber programs of the People’s Republic of China’s (PRC), Russia, and Iran remain the greatest strategic cyber threats to Canada. Cybercriminals driven by profit are increasingly benefiting from new illicit business models to access malicious tools and are using artificial intelligence to enhance their capabilities.
• The People’s Republic of China’s (PRC) expansive and aggressive cyber program presents the most sophisticated and active state cyber threat to Canada today. The PRC cyber program’s scale, tradecraft, and ambitions in cyberspace are second to none.
• Countries that aspire to become new centres of power within the global system, such as India, are building cyber programs that present varying levels of threat to Canada.
• India very likely uses its cyber program to advance its national security imperatives, including espionage, counterterrorism, and the country’s efforts to promote its global status and counter narratives against India and the Indian government.
• While the assessments describe trends that should concern anyone who reads about them, CSE and the Cyber Centre remain focused on tackling these threats.

The Canadian Centre for Cyber Security:

• As part of the Communications Security Establishment Canada (CSE), the Canadian Centre for Cyber Security (Cyber Centre) brings over 70 years of experience protecting Canada’s most sensitive information and networks. Bringing together operational security experts from across the Government of Canada, the Cyber Centre is the Government of Canada’s authority on cyber security.
• Defending the Government of Canada’s information systems provides the Cyber Centre with a unique perspective to observe and analyze trends in the cyber threat environment.
• The Cyber Centre works closely with other government agencies, industry partners, and with the public to share knowledge and experience to improve cyber security for Canadians and to make Canada more resilient against cyber threats.

Defence Policy Update

• The Government announced its Defence Policy Update (DPU), titled: Our North Strong and Free: A Renewed Vision for Canada’s Defence on April 8, 2024.
• The DPU proposes significant new investments in the Communications Security Establishment Canada (CSE), through Budget 2024, to support foreign cyber operations and enhanced foreign intelligence capabilities.
• The DPU includes a commitment of $917 million over five years to support Canada’s Foreign Cyber Operations Program and increase foreign intelligence collection capabilities and a total commitment of $2.83 billion over 20 years.
• These investments will enable Canada to take actions through cyberspace to counter threats, advance foreign policy interests, and support military operations.
• With this investment, CSE will be able to:
  • Protect Canada’s sovereignty, including our Arctic and northern regions.
  • Further help protect Canadians from cyber threats, international extremism, and hostile state activity such as espionage, foreign interference, and disinformation.
  • Keep pace with technological change and maintain our skills advantage in cyberspace and ensure interoperability with our allies.
  • Protect critical infrastructure including the communications and information systems that we rely on; and
  • Contribute operational expertise to military operations and key alliances such as NATO.
• This additional investment reflects the confidence the government has in CSE because of our track record of delivering results.

Background

Foreign cyber operations (FCO)

FCO is an umbrella term for activities conducted under the CSE’s active cyber operations (ACO) mandate and defensive cyber operations (DCO) mandate – to protect the Government of Canada or systems of importance from malicious activity.

In short: we take action online to counter foreign-based threats and advance Canada’s international affairs, defence, or security interests. These are informed by both our foreign intelligence mandate and our cyber defence capabilities.

CSE has a proven track record that respects and reinforces Canada’s statement on international law and cyber norms outlined by the Minister of Foreign Affairs.

Since the CSE Act came into effect in 2019, CSE has conducted active cyber operations to:

• counter hostile state activity
• counter cybercrime
• disrupt foreign extremists
• and assist the Canadian Armed Forces

Internationally, the US, UK, and Australia have all made multi-billion-dollar investments in cyber operations. This is now an important aspect of the Five Eyes alliance and we see cyber becoming increasingly relevant to other international partnerships, many of which have domestic impacts, such as the International Counter Ransomware Initiative.

Collaboration with the Canadian Armed Forces

CSE works in close collaboration with the Canadian Armed Forces (CAF) on signals intelligence operations in support of defence intelligence requirements. CSE also provides important technical expertise to the CAF in relation to signals collection and analysis.

This partnership ensures that the CAF has improved domain awareness and force protection as it conducts its operations globally.

Increasingly cyber is becoming a key domain of conflict. This was demonstrated clearly by Russian cyber-attacks on Ukrainian military and infrastructure in the lead-up to and following Russia’s full-scale invasion of Ukraine.

As was announced on April 8, 2024, to improve the Canadian Armed Forces’ ability to conduct cyber operations, CSE will work with the CAF to stand up a joint Canadian cyber capability, as part of the CAF’s broader efforts to establish a Canadian Armed Forces Cyber Command.

Working together in this way, we will be able to integrate the unique strengths of both organizations into a unified team that will conduct active cyber operations in support of Canadian interests.

Emerging technology

Responsible use of Artificial Intelligence (AI)

• Data science, artificial intelligence, and machine learning capabilities have played a long-standing and vital role in keeping Canada safe and secure.
• At the Communications Security Establishment Canada (CSE), we are committed to leveraging these technologies responsibly by upholding rigorous legal and ethical standards and privacy protections.
• CSE is working closely with others such across the Government of Canada, such as the National Research Council, as well as our Five Eye partners, academia, and industry to guide and govern our AI use.
• As Canada's technical authority on Cyber Security, CSE publishes a range of cybersecurity reports, advice, and guidance to keep stakeholders up to date on emerging risks and best practices. For example, we recently co-badged, with Five Eyes partners, joint advisories on cybersecurity considerations related to AI.

Emerging technology

• CSE is a thought leader and pathfinder in emerging digital and cyber technologies. Its expertise is leveraged to inform government policies on emerging technologies, ranging from 5G to AI and quantum.
• Despite emerging technologies being in varying stages of development and realization, they all have implications for Canada’s economic prosperity, national security, and the individual safety and privacy of Canadians.
• While emerging technologies present great opportunities, they can also be maliciously deployed by sophisticated threat actors.
• For example, with machine learning, a rapidly developing subset of artificial intelligence, cyber threat actors can attack the models through adversarial machine learning techniques. These techniques exploit flaws in the machine learning model’s logic to deceive it or force it to return unintended, sometimes confidential, information.
  • In November 2023, the Guidelines for secure AI system development were released. CSE’s Cyber Centre worked alongside the UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and 20 international partner organizations to develop and publish this document.
• CSE continues to advocate for the digital use of online technology in a safe and secure way and have published an AI Fact Sheet to help inform Canadians generally on this evolving topic.

Quantum and cryptography

• Developments in quantum computing could also threaten the security of current cryptographic methods. CSE’s Cyber Centre is working with federal, commercial, academic, and international partners to develop reliable post-quantum cryptography.
• The Cyber Centre is a partner with the National Institute of Standards and Technology (NIST) in the United States. NIST recently published standards for 3 post-quantum cryptographic algorithms. These standards will enable cyber security solutions to be secure against the threat posed by quantum computers.

Research

• Budget 2022 proposed new funding to enhance Canada’s cyber security capabilities through research investment.
  • CSE is also partnering with the Natural Sciences and Engineering Research Council of Canada to fund academic research communities to conduct research on cutting-edge technologies in areas of strategic importance to CSE and the Government of Canada.
  • The first two areas of focus include: Robust, secure and safe artificial intelligence; and Exploratory analysis for unstructured data.
  • CSE has since been approved for $44.5 million over 9 years to fund academic research on cutting-edge technologies relevant to CSE’s activities.
• CSE’s Research Directorate includes teams of researchers in the fields of cryptography, cyber security, vulnerability research, high-performance computing, data science and artificial intelligence.

TIMC

• CSE is also home to the Tutte Institute for Mathematics and Computing (TIMC), a government research institute focused on fundamental mathematics and computer science.
  • The TIMC’s key research areas are cryptography and data science.
  • While a large portion of its work is classified, when possible, results are released to the academic and open-source communities.

Background

• Technology evolves quickly. To keep up, CSE promotes a culture of constant innovation, including research and collaborative events.
• CSE has published several public reports that discuss Artificial Intelligence, including: the Threat from Large Language Model Text Generators, Adopting Artificial Intelligence with Security in Mind, and others. Additional information on CSE’s approach to AI can be found in the AI section of CSE’s annual report, as well as the National Cyber Threat Assessment 2025-2026 report.
• Other research activities included developing data maps and conducting exploratory data analysis, engaging industry partners to develop and pilot methods for secure computation in insecure environments and conducting research to support the post-quantum cryptography standardization processes.
• CSE’s researchers working in applied research explore the current and incoming challenges the organization faces in carrying out its mission. They build solutions to enhance CSE’s capabilities. In the 2022-23 fiscal year, CSE developed the following products using data science to support the work of CSE analysts:
  • An automated translation software for mission-critical languages that’s faster and more accurate than previously available methods. It uses machine learning and was created in collaboration with partners in SIGINT.
  • A suite of image analysis services to process, enrich and search our data collection.
  • Tools to triage mission data using data science tools to analyze text and identify topics.
  • Tools that allow for foreign intelligence/SIGINT analysts to better understand and detect influence and effects.

Accountability, review, and oversight

• The Communications Security Establishment Canada’s (CSE) mandate is defined in the CSE Act, with clear limits to protect Canadian privacy. CSE monitors its activities internally, while external bodies oversee and review its activities on behalf of Canadians to ensure they comply with the law. CSE is committed to being as open and transparent as possible, while still protecting classified information.
• CSE is subject to ongoing review by two independent external review bodies that play an integral role in enhancing accountability and transparency:
  • the National Security and Intelligence Review Agency (NSIRA); and
  • the National Security and Intelligence Committee of Parliamentarians (NSICOP).
• Based on their distinct mandates, both NSIRA and NSICOP are responsible for reviewing Government of Canada national security and intelligence activities. Whereas NSIRA consists of Governor-in-Council appointees, NSICOP consists of members of Parliament and Senate.
• Through their public reports, NSIRA and NSICOP increase transparency for Canadians on the activities of the security and intelligence community and help ensure CSE and other members of the community are held accountable for their national security and intelligence activities.
• CSE actively supports external reviews by briefing review staff, answering questions, and providing access to classified and unclassified materials. In addition to NSIRA and NSICOP, the Intelligence Commissioner (IC) provides oversight by approving authorizations for certain CSE and CSIS activities prior to their execution.
• Similar to review bodies, the IC prepares annual public reports that allow Canadians to have a better understanding of the activities CSE and CSIS undertake.
• CSE values independent, external review and oversight of its activities, and remains committed to cooperating with these important institutions.
• CSE also maintains an internal compliance program to ensure that CSE operations conform to the law and CSE policies, including protecting the privacy of Canadians and people in Canada.
• Beyond reviews, CSE and its Canadian Centre for Cyber Security (Cyber Centre) publish numerous publications on their websites to promote transparency and share information with Canadians.
  • Key publications include CSE's Annual Report, the National Cyber Threat Assessment (NCTA), Threats to Democratic Processes Report (TDP), as well as various cyber threat alerts.
• CSE also actively promoted transparency through its parliamentary appearances, media interviews, Access to Information responses, proactive disclosures, responses to Order Paper Questions, social media posts, and active participation in public events, such as conferences.
• CSE remains active in its commitment to being as open and transparent as possible, while still taking appropriate measures to protect the integrity of its operations.

Background

Quick facts

This year, CSE’s internal compliance team conducted:

• compliance training
• annual compliance knowledge accreditation
• compliance incident handling
• compliance assessments of operational activities
• compliance outreach and education

In the 2024 Authorization cycle, CSE submitted a total of 6 Ministerial Authorizations to the Intelligence Commissioner (IC):

• 3 Foreign Intelligence Authorizations
• 3 Cybersecurity Authorizations

The IC fully approved 5 of the 6 Authorizations. The IC partially approved 1 Authorization, for foreign intelligence activities. The partially approved authorization included proposed enabling activities under a basket clause drawn from the CSE Act. The IC concluded that CSE had not provided sufficient details to approve the proposed activities.

CSE External Review statistics in FY 2023-24:

• contributed to 25^{Footnote 1} external reviews
• gave 31 briefings to review bodies
• answered 317 questions
• answered 96% of questions by the requested due date, a significant increase from last year.
• Of the 25 external reviews CSE supported this fiscal year, 3 were reviews into foreign interference in Canada’s federal elections. These reviews were conducted by NSIRA, NSICOP, and the Independent Special Rapporteur (ISR).

In addition to the foreign interference reviews notes above, the Foreign Interference Commission was appointed in September 2023 to conduct a Public Inquiry into Foreign Interference in Federal Electoral Processes and Democratic Institutions (PIFI). CSE supports the Government of Canada's response to PIFI through document production, witness testimony and affidavits, and redaction or sanitization of information for release to the public.

This year, CSE’s transparency activities included:

• 110 Order Paper question responses
• 5,580 social media posts
• speeches, conferences and public events
• 6 parliamentary appearances
• 4 public reports
• 55 media interviews
• 4 news conferences
• 52 Open Government releases
• 33^{Footnote 2}Access to Information responses
• 12 proactive disclosures

National Security and Intelligence Review Agency Annual Report (2023)

• NSIRA reviews CSE’s activities for lawfulness and to ensure that the activities are reasonable, necessary, and compliant with ministerial direction. NSIRA also serves as the body for any complaints against CSE.
• In its 2023 report, NSIRA completed three dedicated reviews of CSE, and commenced an annual review of CSE’s activities. This included:
  • a review of CSE’s use of the polygraph for security screening, which examined the way CSE operated its polygraph program and the role of the Treasury Board of Canada Secretariat (TBS).
  • a review of CSE’s network-based solutions and related cybersecurity and information assurance activities (NSIRA’s first review of these activities).
  • an annual review of CSE’s activities, which informed, in part, NSIRA’s 2023 classified annual report to the Minister of National Defence.

Findings

Use of polygraphs:

• NSIRA’s review of the polygraph for security screening found that the policies and procedures in place at CSE inadequately addressed privacy issues and polygraph results were over-relied on the for deciding security screening cases.
• NSIRA also found issues with the way in which CSE operated its polygraph program, including unnecessarily repetitive and aggressive questioning by examiners, insufficient quality control of exams, and retention issues related to audiovisual recordings.
• As a result, NSIRA recommended that “CSE and TBS both urgently address the fundamental issues related to the legality, reasonableness, and necessity of the use of the polygraph for security screening. If these issues cannot be addressed, NSIRA recommended that TBS remove the polygraph from the Standard and CSE should cease using it for security screening.”

CSE’s Network-based solutions and related Cybersecurity and Information Assurance activities:

• This was NSIRA’s first review of CSE’s CSIA activities, along with its first review of Shared Services Canada (SSC).
• Overall, NSIRA found that CSE operates a comprehensive and integrated ecosystem of cybersecurity systems, tools, and capabilities to protect against cyber threats, with a design that incorporates measures meant to protect the privacy of Canadians and persons in Canada.
• NSIRA made findings and recommendations in two areas of concern:
  • CSE’s communications to the Minister of National Defence about its CSIA program did not fully reflect its activities in practice. NSIRA made recommendations to CSE to improve its transparency in this regard.
  • CSE acquired information from sources that, in limited cases, may engage Canadian privacy interests. While this information has clear cybersecurity value, it was not acquired within the scheme of ministerial authorizations, due in part to an incongruence between subsections of the CSE Act. NSIRA recommended various actions to address this acquisition.

Operational Collaboration between CSE and CSIS:

• With respect to operational collaboration, including under CSIS’s TRM mandate, NSIRA found a lack of information sharing and proactive planning, as well as a failure on CSE’s part to properly account for and mitigate the risk of targeting Canadians when working with CSIS.
• NSIRA recommended some procedural changes to improve information flow, consultation, transparency, and accountability.

National Cyber Threat Assessment 2025-2026

• On October 30, 2024, the Communications Security Establishment Canada (CSE) released its National Cyber Threat Assessment (NCTA) for 2025-26. The report included several key findings including that:
  • The People’s Republic of China (PRC) presents the most sophisticated and active cyber threat to Canada.
  • Over the past four years, at least 20 networks associated with Government of Canada agencies and departments have been compromised by PRC cyber threat actors.
  • The cyber programs of the PRC, Russia, and Iran remain the greatest strategic cyber threats to Canada.
  • India’s leadership almost certainly aspires to build a modernized cyber program with domestic cyber capabilities.
  • Cybercriminals driven by profit are increasingly benefiting from new illicit business models to access malicious tools and are using artificial intelligence to enhance their capabilities.
  • Ransomware is the top cybercrime threat facing Canada’s critical infrastructure.
• We continue to monitor for any developing cyber threats and share threat information with our partners and stakeholders to help prevent incidents.
• The Cyber Centre does not comment on specific incidents, but we can say that all known federal government compromises have been resolved.
• The Cyber Centre’s primary focus is on defending federal networks and other systems of importance to the Government of Canada, including critical infrastructure, from cyber threats.
• We encourage Canadians and Canadian organizations to be aware of cyber threats by reading reports such as the NCTA 2025-2026 and to remain vigilant.

State sponsored threats:

• The cyber programs of the PRC, Russia, and Iran remain the greatest strategic cyber threats to Canada.
• State adversaries are using cyber operations to disrupt computer networks and conduct online information campaigns to divide Canadian society.
• State adversaries are trying to intimidate Canadians, including diaspora communities, through coordinated cyber campaigns meant to repress opponents and silence criticism.
• State-sponsored cyber threat actors are very likely targeting critical infrastructure networks in Canada and allied countries to pre-position for possible future disruptive or destructive cyber operations.
• Well-known state adversaries continue to use sophisticated, active programs against Canada and its allies to serve their own political, economic, or military objectives.

Indian foreign interference:

• CSE assesses that India’s leadership almost certainly aspires to build a modernized cyber program with domestic cyber capabilities.
• India very likely uses its cyber program to advance its national security imperatives, including espionage, counterterrorism, and the country’s efforts to promote its global status and counter narratives against India and the Indian government.
• We judge that official bilateral relations between Canada and India will very likely drive Indian state-sponsored cyber threat activity against Canada.
• We assess that Indian state-sponsored cyber threat actors likely conduct cyber threat activity against Government of Canada networks for the purpose of espionage.
• We continue to monitor for any developing cyber threats and share threat information with our partners and stakeholders to help prevent incidents.
• The Cyber Centre’s primary focus is on defending federal networks and other systems of importance to the Government of Canada, including critical infrastructure, from cyber threats.
• On any given day, CSE’s defensive systems can block upwards of 6.6 billion events targeting Government of Canada networks. These defensive actions are a result of its existing cyber defence capabilities which remain ready to defend GC systems, and a small number of high-priority non-federal institutions, 24/7.

The People’s Republic of China (PRC):

• The PRC’s expansive and aggressive cyber program presents the most sophisticated and active state cyber threat to Canada today.
• The PRC conducts cyber operations against Canadian interests to serve political and commercial objectives, including espionage, intellectual property (IP) theft, malign influence, and transnational repression.
• PRC cyber threat actors direct their activities at all levels of government in Canada, public officials, activists, journalists, diaspora communities, private sector entities, academia, supply chains and any other groups that the PRC views as security threats or as valuable espionage targets.

How the Cyber Centre/Government of Canada defends critical infrastructure:

• The Cyber Centre works closely with Canadian government partners, including law enforcement and national security partners, provincial and territorial governments, and private sector partners like critical infrastructure operators, to help them protect their networks and systems from cyber threats.
• For example, the Cyber Centre shares:
  • threat bulletins that help providers assess the cyber risks;
  • indicators of compromise – signs that a bad actor has gotten into a system, which providers can look for;
  • various types of notifications, including advisories (routine), alerts (urgent), cyber flashes (urgent and sensitive); and
  • advice and guidance about cyber security best practices
• Cyber security matters to all of us, and the federal government works together with other jurisdictions, organizations, and critical infrastructure network defenders to raise Canada’s cyber resilience.
• The Cyber Centre also works closely with Canadian government partners and critical infrastructure providers to help them protect their networks and systems from cyber threats.

Trends shaping Canada’s cyber threat landscape:

• The cyber threat surface keeps expanding, supply chain attacks continue, and publicly known vulnerabilities are still being exploited.
• AI technologies like generative AI tools are amplifying cyberspace threats and enabling cyber threat actors to enhance the quality and scale of their foreign online influence campaigns.
• Cyber threat actors are using generative AI tools to improve the personalization and persuasiveness of social engineering attacks and create fake social media bot accounts, online personas and websites.
• Non-state actors, like hacktivists, are seizing on major global conflicts and political controversies to carry out disruptive activities.
• Cyber threat actors are evolving their tradecraft to hide their malicious activity and minimize detection. This includes targeting and exploiting vulnerabilities in edge devices, such as routers and VPNs, using living-off-the-land (LOTL) techniques and abusing domestic infrastructure.

Background

• The Government of Canada (GC) faces a variety of state and non-state cyber threats, probing government systems and networks billions of times every single day, looking for vulnerabilities.
• The GC takes its responsibility very seriously to safeguard Canada against cyber security threats in an expanding and complex cyber threat landscape with a growing cast of malicious and unpredictable state and non-state cyber threat actors.
• The Communications Security Establishment Canada (CSE) and the Canadian Centre for Cyber Security (Cyber Centre) remain focused on tackling these threats.
• Our goal is to raise the awareness-level of individual Canadians and leadership at Canadian organizations, big or small, across all sectors, to the threats out there – and the concrete steps that can be taken together to defend against them.
• In the last fiscal year alone, our automated defences protected the Government of Canada from 2.4 trillion malicious actions, an average of 6.6 billion a day.
• CSE uses all aspects of its mandate, partnerships, and tools, such as its sensors, to defend federal networks and systems of importance to the Government of Canada.
• CSE and the Cyber Centre continue to work together with our allies to protect our shared national interests and keep our population safe from state-sponsored cyber threats.

National Cyber Threat Assessment 2025-2026:

• The NCTA 2025-2026 highlights the cyber threats facing individuals and organizations in Canada. It provides an update to NCTA 2018 2020, and 2023-2024, with analysis of the interim years and forecasts until 2026.
• The Cyber Centre prepared this assessment to help Canadians shape and sustain Canada’s cyber resilience.
• The key judgements in this assessment rely on reporting from multiple sources, both classified and unclassified.
  • The judgements are based on CSE’s knowledge and expertise in cyber security.
  • Defending the Government of Canada’s information systems provides CSE with a unique perspective to observe trends in the cyber threat environment, which also informs our assessment.
  • The foreign intelligence aspect of CSE’s mandate provides us with valuable insights into adversary behaviour in cyberspace.

Indian foreign interference

• On October 30, 2024, the Communications Security Establishment Canada (CSE) released its National Cyber Threat Assessment (NCTA) for 2025-2026.
• CSE assesses that India’s leadership almost certainly aspires to build a modernized cyber program with domestic cyber capabilities.
• India very likely uses its cyber program to advance its national security imperatives, including espionage, counterterrorism, and the country’s efforts to promote its global status and counter narratives against India and the Indian government.
• We judge that official bilateral relations between Canada and India will very likely drive Indian state-sponsored cyber threat activity against Canada.
• We assess that Indian state-sponsored cyber threat actors likely conduct cyber threat activity against Government of Canada networks for the purpose of espionage.
• We continue to monitor for any developing cyber threats and share threat information with our partners and stakeholders to help prevent incidents.
• The Cyber Centre’s primary focus is on defending federal networks and other systems of importance to the Government of Canada, including critical infrastructure, from cyber threats.
• On any given day, CSE’s defensive systems can block upwards of 6.6 billion events targeting Government of Canada networks. These defensive actions are a result of its existing cyber defence capabilities which remain ready to defend GC systems, and a small number of high-priority non-federal institutions, 24/7.
• CSE and the Cyber Centre continue to work hand-in-hand with our allies to protect our shared national interests and keep our population safe from state-sponsored cyber threats.

COMSEC and satellites

• The Communications Security Establishment Canada (CSE) is the national authority for Communications Security (COMSEC) and information assurance as mandated in the Communications Security Establishment Act (CSE Act).
• CSE provides COMSEC equipment to Government and Industry – special devices that rely on strong, sensitive cryptography – to secure Canada’s most sensitive information.
• To ensure that sensitive information is appropriately protected, the CSE program provides the tools, services, and guardrails to protect Canada’s most sensitive information and interests domestically and abroad.

Satellites

• Redacted three RADARSAT missions:
  • RADARSAT
  • RADARSAT Constellation Mission (RCM)
  • RADARSAT RCM-R (Replenishment)
• With an increase in space investment, CSE has scaled up its COMSEC program Redacted
• Additionally, CSE supports the Telesat Low Earth Orbit (LEO) Lightspeed project by Redacted
  • Redacted
  • Before Canada adopts COMSEC equipment for use, CSE evaluates it to ensure it meets strict security standards. All high-assurance COMSEC equipment used by any entity in Canada must first undergo rigorous evaluation and testing via the Approval for Use (AFU) process to ensure that it meets Canadian standards for use.
• This uniquely Canadian solution, fully backed by CSE, reinforces our commitment to national security and sovereignty by ensuring the integrity of our communications infrastructure.
• By ensuring that critical infrastructure is protected by Canadian-developed technology and standards, the government is taking proactive steps to secure vital systems against evolving global cyber threats.

Background

COMSEC

• Key Roles of COMSEC include:
  • Protecting Sensitive Data: Encryption secures sensitive data by converting it into unreadable code, accessible only to authorized users with the correct keys.
  • Maintaining Privacy and Confidentiality: COMSEC protects against unauthorized interception and exploitation of communications.
  • Preventing Cyber Threats and Attacks: Encryption provides a strong defense against cyber threats, such as eavesdropping, man-in-the-middle attacks, and data breaches.
  • Ensuring Data Integrity: By using encryption and digital signatures, COMSEC helps verify that data has not been altered during transmission.
  • Compliance and Regulatory Standards: COMSEC solutions are essential for organizations to comply with regulations like GDPR and HIPAA.
  • Enabling Trust and Confidence: Robust COMSEC measures foster trust among stakeholders, partners, and the public.
• All high-assurance COMSEC equipment must undergo rigorous evaluation and testing through the Approval for Use (AFU) Process.

Telesat Low Earth Orbit (LEO) Lightspeed Program

• The Government of Canada is actively supporting the Telesat Low Earth Orbit (LEO) Lightspeed project, with CSE providing Redacted
• This collaboration enhances Canada’s communications security and strengthens the integrity of critical national infrastructure through Redacted
• The Telesat Lightspeed network is composed of 198 state-of-the-art LEO satellites, seamlessly integrated with on-ground data network. It is poised to bridge the digital divide by delivering affordable, high-speed broadband and 5G connectivity to unserved and underserved communities in Canada and worldwide.
• In addition to expanding connectivity, the network will support the modernization of satellite communications for the Canadian government and allies, contributing significantly to NATO and NORAD initiatives that bolster defense and security for Canada and its partners.
• Telesat’s LEO Lightspeed network provides secure, resilient, and fully managed connectivity for Canada’s national defense. It supports situational awareness, intelligence gathering, and communication for troops on land, in the air, and at sea.
• Through CSE’s involvement, the project demonstrates a strong commitment to Canadian digital sovereignty. By ensuring that critical infrastructure is protected by Canadian-developed technology and standards, the government is taking proactive steps to secure vital systems against evolving global cyber threats.

Quantum

• A quantum computer capable of attacking current cryptography could be available as early as the 2030s.
• Existing cryptographic systems will need to be upgraded to quantum-resistant cryptography (PQC). CSE is actively participating in the PQC standards process and has high confidence in the algorithms.
• Validated implementations of PQC algorithms should be available around 2026-27. CSE closely follows developments in quantum computing on an ongoing basis to inform the timeline for transition to PQC.
• Organizations should start planning for the transition to PQC to mitigate the "harvest now, decrypt later" threat, wherein adversaries collect encrypted data now, store it, and decrypt once a sufficiently powerful quantum computer exists.
• Key CCCS Guidance:
  • Executive Awareness: Addressing the quantum computing threat to cryptography
  • Practitioner Awareness: Preparing your organization for the quantum threat to cryptography
  • Cryptographic algorithms for Protected B and below

Arctic defence and sovereignty

• The Arctic is one of Canada’s foremost security priorities, including as it relates to cyber.
• In response, the Government of Canada has announced major investments in Continental Defence, modernizing NORAD, as well as enhancing the Communications Security Establishment’s (CSE) abilities to prevent and defend against cyber attacks.
• The recent funding in this space signals that CSE is taking the global shift to cyber seriously, including cyber security in the Arctic.
• Enhancing situational awareness and operational effectiveness in cyber space is a critical component to safeguarding and advancing our national and collective interests in the North.
• CSE continues to provide the most comprehensive information available related to Canada’s intelligence priorities, directly furthering Canadian safety, security, and prosperity.