Transition Binder for the Honourable Bill Blair, Minister of National Defence, July 26, 2023

Dear Minister Blair:

Congratulations and welcome to your role as the Minister of the most important agency you’ve never heard of: The Communications Security Establishment (CSE). CSE includes the Canadian Centre for Cyber Security (Cyber Centre), which is the federal government’s lead operational agency for cyber security.

As your Deputy Minister (Chief) for CSE, I look forward to working with you and discussing how our expertise is helping the Government deliver on its commitments and priorities. The intent of this letter is to give you a brief introduction to our current and future priorities, and your responsibilities in relation to our authorities.

CSE is Canada’s lead operational and technical agency for cyber defence and cyber security. We have a national mandate to collect foreign intelligence to support Government decision-making. While Cabinet sets foreign intelligence priorities, we take further direction from you to ensure we are focusing our resources where we can have the most impact.

We also have a mandate to conduct cyber operations to advance Canadian interests, including countering some of the toughest national defence and security challenges we face. We work interoperably with our Five Eyes partners on intelligence, military and cyber defence, and we also assist the Canadian Armed Forces at home and abroad. In essence, CSE is:

• The national technical authority for cyber security and safeguarding Canada’s secret information through strong encryption;
• The national authority for foreign intelligence collected through cyberspace (signals intelligence or SIGINT); and
• Canada’s hub for national cyber capabilities and operations.

CSE plays an integral role in helping to protect Canada and Canadians against a variety of threats, which on any given day could include foreign-based terrorism, foreign espionage, cyber threat activity, kidnapping of Canadians abroad, attacks on Canadian critical infrastructure, and other serious threats including cyber incidents. Our activities help ensure our nation’s security, stability, and economic prosperity.

In the near term, there are several priority files that will require your attention, including:

• Russia’s Invasion of Ukraine: We have an important role supporting Canada’s response to Russia’s invasion of Ukraine. This has included exposing Russia’s ongoing disinformation efforts and providing cyber security support to Ukraine and Latvia.
• Foreign Interference: Canadians need to be able to trust the outcomes of democratic electoral processes, and we work within our mandate, with national security partners, to protect Canadians and raise awareness about this serious threat.
• Foreign Cyber Operations (FCO): We take action online to counter and disrupt foreign-based threats and advance Canada’s international affairs, defence, economic, or security interests. In 2022, the Minister of National Defence issued four (4) Ministerial Authorizations for FCO.
• National Cyber Security Strategy (NCSS) Renewal: We are working to support a renewal of Canada’s National Cyber Security Strategy, which will articulate how the federal government can work with industry, Canadians, and other levels of government to make Canada one of the safest places to live and work online.

In addition, we support the Government’s priorities through CSE’s foreign intelligence mission, providing timely, relevant, and useful intelligence to you and your Cabinet colleagues on emerging priorities, strategic issues, and crises. For example, you can expect CSE to produce foreign intelligence on continental defence, issues related to the implementation of Canada’s Indo-Pacific Strategy, and protection of Canada’s territorial sovereignty.

Budget 2022 allocated significant funds to expand CSE’s capacity with $852.7M over 5 years, and $218.3M ongoing which will help us meet increasing demands for our intelligence and cyber security services. CSE has a significant role in the Defence Policy Update including building our national cyber operations capabilities.

For over 75 years, CSE has been Canada’s national cryptologic agency – making and breaking codes. Our history has prepared us well for the future. Technology itself is emerging as a domain of inter-state competition and will introduce new vulnerabilities to our citizens and our businesses. We have the talent and the know-how to help the Government navigate in an era of constant, fast-paced technological change.

Cyber security has become a “whole-of-society” concern and growing challenge. Cyber threats are frequently directed at critical infrastructure networks and technology used to run vital sectors. It will not be long, if past trends continue, before we will be briefing you on a cyber incident in government or in Canadian critical infrastructure. Your active engagement with Canadian industry will help us raise awareness of cyber threats and encourage critical infrastructure operators to work with us, to take action, and to defend themselves.

Our skilled workforce of diverse experts, our modern and state-of-the-art facility combined with recent investments and updated authorities make CSE uniquely well suited to support the Government’s broader agenda. I am also confident you will find that CSE delivers our mandate in a way that reflects the Government’s commitment to transparency, innovation, diversity and inclusion.

We have grown into our modern-day mandate responsibly—by demonstrating our value over many decades, by successfully conducting operations covertly and without attribution to Canada, with great attention to lawfulness and privacy protections. We have focused on building trust and confidence with Canadians. We have nurtured longstanding, valued relationships with our key allies, as well as built partnerships with the Canadian private sector and academia. Among international cyber power benchmarks, Canada rates high in our cyber defence capabilities and cyber threat intelligence capacity.

At your convenience, I would welcome the opportunity to welcome you to the CSE Campus Buildings to see the great work we are doing as a member of the defence portfolio.

I look forward to working with you, Minister Blair, to help deliver your Government’s platform commitments and your mandate letter priorities.

Sincerely,

Caroline Xavier (She/her)
Chief
Communications Security Establishment

As Minister of National Defence responsible for the Communications Security Establishment, you are accountable for our national roles in:

Cyber security: CSE actively defends Canadian government networks, and helps protect other networks that you designate as important to the Government. CSE provides national leadership as the Canadian Centre for Cyber Security, including a role as the national Cyber Emergency Response Team (CERT).

Foreign intelligence: CSE is the leading provider of foreign intelligence to Government clients, and the national authority for signals intelligence. Foreign intelligence activities are guided by the Cabinet-approved set of priorities.

Foreign cyber operations: CSE has a broad mandate for foreign cyber operations in support of Canada’s international affairs, defence and security, including cyber security. CSE’s advanced technical capabilities and operational expertise are also used to support DND/CAF, CSIS and RCMP in the conduct of cyber operations under their respective mandates.

Who we are

Personnel

• Our workforce is 3,232 full-time, permanent employees.
• CSE was named one of Canada’s top employers for young people from 2017 to 2023 and named one of the National Capital Region’s Top Employers (2023)
• In the most recent Public Service Employee Survey results our employees ranked CSE higher than the rest of the public service in innovation (by 21%), pride in work (by 5%), and psychologically healthy workplace (by 10%).
• CSE workforce continues to be more inclusive and diverse with 28.8% women, 1.7% Indigenous People, and 11.8% people with disabilities. Work remains ongoing with internal and external partners through tailored recruitment, future of work initiatives, and efforts to promote EDI.

Budget

• CSE’s 2022 to 2023 total authorities were $948 million.

What we do

We are foreign intelligence

• We support you and other Cabinet Ministers by providing assistance to Canadian military missions abroad, offering insights about issues of global importance, and uncovering foreign-based threats such as extremists planning to carry out attacks against Canadian interests and malicious cyber threats against Canadian networks.

We are cyber security

• We deliver world-class defence of Canadian government networks, routinely blocking over a billion malicious cyber attempts per day. We have the authority to use our expertise to assist Canadian critical infrastructure. We provide custom advice and guidance to a wide range of Canadian entities about specific threats, help respond to major incidents, and raise public awareness through outreach and national cyber security campaigns.

We are trusted advisors

• We provide technical and operational assistance to CAF/DND, CSIS and RCMP where CSE’s costly and hard-won capabilities or expertise can be employed, reducing duplication and improving cost effectiveness. All assistance is provided under the authorities of the requesting agency and subject to the same restrictions that apply to the requesting agency.
• We support a broad range of partners (industry, academia, provinces and territories, allies), promote cyber security, and protect critical infrastructure. For example, under CSE’s Security Review Program, we work with telecommunications providers, vendors and private sector labs to help mitigate risks in designated wireless equipment and services, including Huawei.

How we do it

Leading-edge technological expertise

• CSE has the largest concentration of supercomputers in Canada, and is home to the Tutte Institute for Mathematics and Computing, a world-class Top Secret mathematicians and computing institute.
• CSE is a thought leader and pathfinder in emerging digital and cyber technologies, with a research program focused on quantum cryptography; advanced analytics; maintaining covert operations and detecting hostile state actor campaigns. CSE’s expertise is harnessed to inform Government policies on emerging technology, ranging from 5G to artificial intelligence and quantum.

Legal authorities and capabilities

• The CSE Act is expected to be reviewed (timing of review to be confirmed).

Engagement with key stakeholders

• CSE is a trusted and contributing partner within the Five Eyes community. In return, CSE acquires information, capabilities and tradecraft that would not otherwise be available to Canadian cryptologic practitioners.
• CSE foreign intelligence reporting in 2022 to 2023: 3,007 reports, 1,774 clients, 27 departments and agencies.
• CSE collaborates with the private sector to innovate new solutions.

CSE - Key facts

• CSE’s 2022-2023 budget is $948 million, total authorities.
• Since 2014, CSE and the Government of Canada have officially attributed 12 cyber incidents to nation-state and state-affiliated actors.
• CSE’s automated defences protect the Government of Canada from over 6 billion malicious actions a day.
• Foreign cyber operations authorizations: In 2022, the Minister of National Defence issued 4 authorizations for foreign cyber operations (3 ACO and 1 DCO).
• Cyber security authorizations: In 2022, the Minister of National Defence issued 3 authorizations for cyber security operations (1 federal, 2 non-federal).

CSE - Workforce

• 3,232 full-time employees as of March 31, 2023.
• CSE’s attrition has been between 3.8% and 4.7% over the past 7 years. This still remains lower than the industry standard, especially in the technology field. We believe our low attrition rate reflects the positive work environment, employee development and support programs we have in place.
• Employee satisfaction remains high and CSE was named as one of the best places to work among Canada’s major federal agencies in the 2020 Public Service Employee Survey (PSES). Based on the 2020 results, 89 per cent of CSE employees are proud of the work they do and 90 per cent feel their ideas and opinions are valued.
• CSE has also been recognized as a Top Employer in 2020, 2021, 2022, and 2023, as well as one of Canada’s Top Employer for Youth for the past 7 years in a row.
• We continue to receive somewhere in the range of 10,000 to 15,000 applications per year.

CSE external review

• FY 2022-2023: CSE contributed to 22 external reviews (17 by NSIRA, 4 by NSICOP, and 1 by the Independent Special Rapporteur)

Cyber Centre and industry statistics

• Contact the Cyber Centre by phone at 1-833-CYBER-88 or by email at contact@cyber.gc.ca.
• As of March 2023, 72 federal institutions have deployed cloud-based sensors.
• As of March 2023, 85 federal institutions have deployed host-based sensors on over 860,000 hosts.
• FY 2022-2023: Cyber Centre opened 2,089 cyber security incident cases. That’s an average of 5.5 per day. Of those cases, 957 were federal institutions and 1,132 were critical infrastructure.
• Aventail is the Cyber Centre’s automated threat intelligence sharing service. It provides critical infrastructure partners with relevant, verified information about Indicators of Compromise (IoCs) at machine speed. In 2022 to 2023, Aventail shared 37,000 unique IoCs. That’s just over 100 a day.
• Aventail shared its threat feed with 152 partners (132 critical infrastructure partners; 20 federal institutions).
• CIRA Canadian Shield is a free service that protects Canadians’ privacy on their home networks and personal devices. It also has a threat-blocking option that prevents users from inadvertently connecting to known malicious sites. The Cyber Centre shares its automated threat intelligence feed with CIRA, so that any threats we have identified will also be blocked by Canadian Shield.
• As of March 31, 2023, more than 290,000 users have signed up for Canadian Shield’s threat-blocking services, which recorded more than 215 million blocks this year (FY 2022-23).
• Cyber Centre public reports in FY 2022-2023:
  • 737 advisories
  • 51 advice and guidance publications
  • 21 alerts
  • 14 cyber flashes
  • 4 reports and assessments

Chief
Caroline Xavier

• Head, Canadian Centre for Cyber Security
  Sami Khoury
• Associate Head, Canadian Centre for Cyber Security
  Rajiv Gupta
• Deputy Chief, Enterprise Technolgies and Solutions
  Darrell Schroer
• Deputy Chief, Corporate Services
  Hughes St-Pierre
• Deputy Chief, Authorities, Compliance and Transparency
  Nabih Eldebs
• Deputy Chief, Strategic Policy, Planning and Partnerships
  Wendy Hadwen
• Deputy Chief, Signals Intelligence
  Alia Tayyeb
• Director General, Audit, Evaluation and Ethics
  Eliane Turner
• General Counsel and Executive Director, Legal Services
  Manon Lefebvre
• Director General, Public Affairs and Communications Services
  Christopher Williams

CBC Radio’s The House with Catherine Cullen: Inside Canada’s secretive cyber-spy agency

Aired on June 24, 2023

Background: Chief Caroline Xavier was featured on CBC Radio’s The House to discuss threats to critical infrastructure, in particular the Cyber Centre’s new threat assessment on the oil and gas sector. This interview was in conducted in support of the classified threat briefing to the energy sector on June 21, 2023.

Transcript

Catherine Cullen (CBC’s The House): One of the remarkable things in your report is the idea that State Sponsored Actors are actually already building capacity to potentially sabotage infrastructure, like oil and gas. In a way, I understood it as they are kind of already casing the joint. How concerned do we need to be about that?

Caroline Xavier (Chief, CSE): We need to be very concerned. And, you said casing the joint; I actually like the way you position that. Again, for the reason that it is a better term for the average Canadian to understand. The Cyber Threat Report that we’ve put out, we’ve been talking about this for some time but, we felt that it was important to put out this report at this time because it is like a culmination, or summary, of a series of advisories and guidelines we’ve been putting out in particular for attention to critical infrastructure. And in particular for the energy sector to pay attention- the oil and gas sector.

So yes, our assessment is that people are casing out critical infrastructure in particular, as a critical area of possible opportunity, to be able to maybe… disrupt. Disrupt supply chains, disrupt the distribution of gas. But really, from an opportunistic perspective, looking for vulnerabilities to potentially cause economic disruptions or reputational damage of that nature.

Cullen: One of the things that really struck me in the report was this quote that it is “difficult to overstate the importance of the oil and gas sector to national security.” I know that the report says it like something like this is not necessarily around the corner but help me understand what the consequences of a successful attack would mean for Canadians.

Xavier: Listen, you’re dealing with oil and gas. So just imagine that if you get to a gas distribution and the pressure mounts, it could potentially explode. And that could be really harmful to a local neighborhood, for example, or people that are surrounding it. We have the example of what happened in the United States, the Colonial Pipeline in 2021- in the May 2021 timeframe, which definitely demonstrated that that critical infrastructure being impacted had implications for people who couldn’t get gas, and it hurt other parts of the industry, other parts of the town. And so you- our critical infrastructure really helps us to supply many other things when you think of electricity, you think of health care – because there’s multiple sectors in terms of critical infrastructure, not just the oil and gas one. Oil and gas is really a foundational piece to so many things that we need to survive really, or that we depend on.

Cullen: So people are going to hear this. They are going to find that pretty concerning. I know you were meeting with leaders in the industry this week. How on top of this are we? How- where do we need to be?

Xavier: We work with various stakeholders throughout the critical infrastructure sectors all the time. We periodically do get together with them, because we want to be able to really hone in on some specific information with them at times. We have some specific collaboration initiatives that are in place with the oil and gas sector, as well as the electricity sector. And so, this just builds on that on going collaboration that we have and engagement we have with them. But they welcome when we get together as a community and as a sector, because it is an opportunity for them to learn from themselves, to hear us and what we might be sharing with them, to be able to really get some best practices. And, really, strengthen that partnership so that if we have to call them for anything, first of all they’ll know who we are and they will pick up the phone, but also just to be able to really recognize that when we are giving you these advisories, please pay attention to them. It’s our job, collectively as a partner and as partners to build that cyber resiliency together.

We can’t do this alone as the government, we can’t do this alone as the Communications Security Establishment, and we can’t do this alone as the Cyber Centre. We really do need private sector stakeholders to be actively engaged in this.

And, for me, when we’re communicating with C-Suite individuals in particular, I want them to recognize that this can’t be a conversation only being had with the Chief Information Officer, or the Chief Information Security Officer. They need to care.

Cullen: We also see these headlines about attacks on healthcare systems. There was a global cyber attack last week that affected a well-known healthcare institution in the United States – John Hopkins – because of a vulnerability in commonly used software. How do you defend against something like that when these attacks seem relentless? Is this just whack-a-mole?

Xavier: Fundamentally, one of the things we work really hard at, at the Cyber Centre, is giving people just fundamental tips. Just follow the basics, the top 10 tips- guidelines that we have on our website on cyber.gc.ca. And even if you just did that at a foundation- that already would be a good foundation.

When we talk about Patch Tuesday, or being able to close the gaps that you have in your system when you’ve assessed that somebody may have found a vulnerability and to close it immediately, we are asking you to take that seriously. We talk about phishing, and emails that could be coming into your organization and paying close attention to who’s sent it to you, do you recognize the sender, and so on, and so forth. We tell you that for a reason because all it takes is one click to be into a whole new game that you weren’t expecting.

Cullen: It sounds like you’re saying not enough people are listening.

Xavier: Well… I’d love to say that we are 100% being listened to, but the reality is we can’t stop saying it, and we need to continue to be saying it as frequently as we can, because it is a whole societal piece to be able to have cyber resilience.

It can’t just be on the government; we all have to do our part.

Foreign intelligence (Article 16, CSE Act)

Mandate

• Activities must not be directed at Canadians or Persons in Canada, and must not infringe the Canadian Charter of Rights and Freedoms
• Activities Requiring Ministerial Authorization: MA’s protect CSE where our activities would contravene any other act of Parliament (*or of any foreign state for FI, DCO, and ACO only); and/or would interfere with a reasonable expectation of privacy in relation to a Canadian or person in Canada

Conditions

• Activities must be reasonable, necessary, and proportionate
• Unselected information could not be reasonably acquired by other means
• Measures are in place to protect the privacy of Canadians or persons in Canada
• Information identified as relating to a Canadian or a person in Canada will be used, analyzed or retained only if the information is essential to international affairs, defence and security
• Measures to protect privacy:
• Policies, training, retention, suppression, management approvals, ACL, audit, review, DLS, D2
• Canadian Identifying Information (CII) is only disclosed to designated people/classes of people if the disclosure is essential to international affairs, defence, security, or cyber security.
• Information relating to Canadians or persons in Canada may be disclosed to designated people/classes of people if necessary to protect systems of importance

Exceptions

• Using publicly available information that has been published or broadcast for public consumption, is accessible to the public on the GII or otherwise or is available to the public on request, by subscription or by purchase (does not include information where a Canadian or person in Canada has a reasonable expectation of privacy).
• Testing or evaluating products, software, and systems for vulnerabilities
• Analysing information and providing advice regarding foreign investments in Canada to the Ministers of PS/ISED for the purposes of the Investment Canada Act.
• Acquiring, using, analysing, retaining or disclosing infrastructure information for the purpose of research and development, for the purpose of testing systems or conducting cyber security and information assurance activities on the infrastructure from which the information was acquired.

Approvals

• Authorized by Minister of National Defence: MND must have reasonable grounds to believe that the conditions set out in law are met, including that the FI and CS activities are reasonable, necessary and proportionate and that the ACO/DCO activities are reasonable and proportionate.

Oversight

• Approved by Intelligence Commissioner:
• The IC must be satisfied that the ministerial conclusions are reasonable
• The IC approves CSE’s MAs before CSE can conduct any operations.

Review

• NSIRA: National Security and Intelligence Review Agency
• Responsible for reviewing all activities of CSE, and all national security activities across the GC
• NSIRA reviews CSE activities for compliance with the law and ministerial directions, and they review the reasonableness and necessity of CSE’s exercise of its powers
• Investigates any complaints against CSE
• NSICOP: National Security and Intelligence Committee of Parliamentarians
• Reviews CSE activities related to national security or intelligence, including the measures it has in place to protect the privacy of Canadians or persons in Canada

Cyber security and information assurance (Article 17, CSE Act)

Mandate

• Activities must not be directed at Canadians or Persons in Canada, and must not infringe the Canadian Charter of Rights and Freedoms
• Activities Requiring Ministerial Authorization: MA’s protect CSE where our activities would contravene any other act of Parliament (*or of any foreign state for FI, DCO, and ACO only); and/or would interfere with a reasonable expectation of privacy in relation to a Canadian or person in Canada

Conditions

• Activities must be reasonable, necessary and proportionate
• Measures are in place to protect the privacy of Canadians or persons in Canada
• Designation: MND may designate any electronic information, any information infrastructures or any class of either as being of importance to the GC
• Information identified as relating to a Canadian or a person in Canada will be used, analyzed or retained only if the information is essential to identify, isolate, prevent or mitigate harm to systems of importance
• Measures to protect privacy:
• Policies, training, retention, suppression, management approvals, ACL, audit, review, DLS, D2
• Canadian Identifying Information (CII) is only disclosed to designated people/classes of people if the disclosure is essential to international affairs, defence, security, or cyber security.
• Information relating to Canadians or persons in Canada may be disclosed to designated people/classes of people if necessary to protect systems of importance

Exceptions

• Using publicly available information that has been published or broadcast for public consumption, is accessible to the public on the GII or otherwise or is available to the public on request, by subscription or by purchase (does not include information where a Canadian or person in Canada has a reasonable expectation of privacy).
• Testing or evaluating products, software, and systems for vulnerabilities
• Analysing information and providing advice regarding foreign investments in Canada to the Ministers of PS/ISED for the purposes of the Investment Canada Act.
• Acquiring, using, analysing, retaining or disclosing infrastructure information for the purpose of research and development, for the purpose of testing systems or conducting cyber security and information assurance activities on the infrastructure from which the information was acquired.
• Carrying out activities on information infrastructures to identify, isolate, prevent and/or mitigate the activity and/or impact of malicious software on the infrastructure.
• Doing research and development and analysing information in order to provide advice and guidance on the integrity of supply chains and on the trustworthiness of e-communications, equipment and services.

Approvals

• Authorized by Minister of National Defence: MND must have reasonable grounds to believe that the conditions set out in law are met, including that the FI and CS activities are reasonable, necessary and proportionate and that the ACO/DCO activities are reasonable and proportionate.

Oversight

• Approved by Intelligence Commissioner:
• The IC must be satisfied that the ministerial conclusions are reasonable
• The IC approves CSE’s MAs before CSE can conduct any operations.

Review

• NSIRA: National Security and Intelligence Review Agency
• Responsible for reviewing all activities of CSE, and all national security activities across the GC
• NSIRA reviews CSE activities for compliance with the law and ministerial directions, and they review the reasonableness and necessity of CSE’s exercise of its powers
• Investigates any complaints against CSE

• NSICOP: National Security and Intelligence Committee of Parliamentarians
• Reviews CSE activities related to national security or intelligence, including the measures it has in place to protect the privacy of Canadians or persons in Canada

Defensive Cyber Operations (DCO) (Article 18, CSE Act)

Mandate

• Activities must not be directed at Canadians or Persons in Canada, and must not infringe the Canadian Charter of Rights and Freedoms
• Activities Requiring Ministerial Authorization: MA’s protect CSE where our activities would contravene any other act of Parliament (*or of any foreign state for FI, DCO, and ACO only); and/or would interfere with a reasonable expectation of privacy in relation to a Canadian or person in Canada

Conditions

• Activities must be reasonable and proportionate
• The objective of the ACO/DCO operation could not be reasonably achieved by other means
• Any information used to plan/conduct an ACO/DCO operation must be acquired under an FI or cyber security MA
• CSE is strictly prohibited from:
• Intentionally, or by criminal negligence, causing death or bodily harm;
• Interfering with the course of justice or democracy

Exceptions

• Using publicly available information that has been published or broadcast for public consumption, is accessible to the public on the GII or otherwise or is available to the public on request, by subscription or by purchase (does not include information where a Canadian or person in Canada has a reasonable expectation of privacy).
• Testing or evaluating products, software, and systems for vulnerabilities
• Analysing information and providing advice regarding foreign investments in Canada to the Ministers of PS/ISED for the purposes of the Investment Canada Act.
• Acquiring, using, analysing, retaining or disclosing infrastructure information for the purpose of research and development, for the purpose of testing systems or conducting cyber security and information assurance activities on the infrastructure from which the information was acquired.

Approvals

• Authorized by Minister of National Defence: MND must have reasonable grounds to believe that the conditions set out in law are met, including that the FI and CS activities are reasonable, necessary and proportionate and that the ACO/DCO activities are reasonable and proportionate.
• Approved if the Minister of Foreign Affairs is consulted

Oversight

• N/A

Review

• NSIRA: National Security and Intelligence Review Agency
• Responsible for reviewing all activities of CSE, and all national security activities across the GC
• NSIRA reviews CSE activities for compliance with the law and ministerial directions, and they review the reasonableness and necessity of CSE’s exercise of its powers
• Investigates any complaints against CSE

• NSICOP: National Security and Intelligence Committee of Parliamentarians
• Reviews CSE activities related to national security or intelligence, including the measures it has in place to protect the privacy of Canadians or persons in Canada

Active Cyber Operations (ACO) (Article 19, CSE Act)

Mandate

• Activities must not be directed at Canadians or Persons in Canada, and must not infringe the Canadian Charter of Rights and Freedoms
• Activities Requiring Ministerial Authorization: MA’s protect CSE where our activities would contravene any other act of Parliament (*or of any foreign state for FI, DCO, and ACO only); and/or would interfere with a reasonable expectation of privacy in relation to a Canadian or person in Canada

Conditions

• Activities must be reasonable and proportionate
• The objective of the ACO/DCO operation could not be reasonably achieved by other means
• Any information used to plan/conduct an ACO/DCO operation must be acquired under an FI or cyber security MA
• CSE is strictly prohibited from:
• Intentionally, or by criminal negligence, causing death or bodily harm;
• Interfering with the course of justice or democracy

Exceptions

• Using publicly available information that has been published or broadcast for public consumption, is accessible to the public on the GII or otherwise or is available to the public on request, by subscription or by purchase (does not include information where a Canadian or person in Canada has a reasonable expectation of privacy).
• Testing or evaluating products, software, and systems for vulnerabilities
• Analysing information and providing advice regarding foreign investments in Canada to the Ministers of PS/ISED for the purposes of the Investment Canada Act.
• Acquiring, using, analysing, retaining or disclosing infrastructure information for the purpose of research and development, for the purpose of testing systems or conducting cyber security and information assurance activities on the infrastructure from which the information was acquired.

Approvals

• Authorized by Minister of National Defence: MND must have reasonable grounds to believe that the conditions set out in law are met, including that the FI and CS activities are reasonable, necessary and proportionate and that the ACO/DCO activities are reasonable and proportionate.
• Approved if requested, or consented to, by Minister of Foreign Affairs

Oversight

• N/A

Review

• NSIRA: National Security and Intelligence Review Agency
• Responsible for reviewing all activities of CSE, and all national security activities across the GC
• NSIRA reviews CSE activities for compliance with the law and ministerial directions, and they review the reasonableness and necessity of CSE’s exercise of its powers
• Investigates any complaints against CSE

• NSICOP: National Security and Intelligence Committee of Parliamentarians
• Reviews CSE activities related to national security or intelligence, including the measures it has in place to protect the privacy of Canadians or persons in Canada

Technical and operational assistance (Article 20, CSE Act)

Mandate

• Subject to requests from federal law enforcement and security agencies, the Canadian Armed Forces (CAF), the Department of National Defence (DND)

Conditions

• CSE would have the same authority to carry out an activity as the agency requesting the assistance
• CSE would also be subject to any restrictions or conditions placed on the agency requesting that assistance, such as a warrant or applicable law
• In addition, for assistance to DND and the CAF, CSE would:
• Receive a written request from DND or CAF authorized by an appropriate representative
• Comply with all instructions, parameters, and limits of the authorized CAF activity
• Comply with all relevant Ministerial Directives issued by CSE by the MND
• Adhere to agreement or arrangements with DND and CAF
• Comply with all CSE policies and procedures related to the provision of assistance

Exceptions

• N/A

Approvals

• N/A

Oversight

• N/A

Review

• NSIRA: National Security and Intelligence Review Agency
• Responsible for reviewing all activities of CSE, and all national security activities across the GC
• NSIRA reviews CSE activities for compliance with the law and ministerial directions, and they review the reasonableness and necessity of CSE’s exercise of its powers
• Investigates any complaints against CSE
• NSICOP: National Security and Intelligence Committee of Parliamentarians
• Reviews CSE activities related to national security or intelligence, including the measures it has in place to protect the privacy of Canadians or persons in Canada

If the Minister were to make one comment:

• I'm looking forward to be the Minster of CSE - the most important organization Canadians have never heard of. CSE and its Cyber Centre play a vital role in protecting Canada and Canadians. Through their critical cyber security role, foreign signals intelligence, and cyber operations - CSE keeps Canadian systems and information safe. It contributes to Canada’s efforts to support Ukraine and helps protect democracy as a member of SITE.

If asked about current issues:

• Cyber Protection / CI
  • Cyber threats are a persistent threat to Canadian organizations. That includes to the critical infrastructure we rely on every day. I’m looking forward to working with CSE and its Cyber Centre to help protect against those threats.
• Ukraine:
  • CSE has been deeply involved in Canada’s response to Russia’s invasion of Ukraine. They have provided signals intelligence, sent cyber operators to Ukraine and Latvia to bolster their cyber security, and shared declassified intelligence on social media to fight Russian disinformation.
• FI/ SITE
  • CSE and its Cyber Centre are part of the Security and Intelligence Threats to Elections (SITE) Task Force, which is responsible for monitoring covert, clandestine, or criminal activities interfering with or influencing electoral processes in Canada. Throughout any federal election, including recent by-elections, the SITE Task Force actively monitors for any signs of foreign interference.