CSE’s Management Response to Recommendations in NSIRA’s Review of CSE’s Network-based solutions and related Cybersecurity and Information Assurance activities (‘NBS’)

Table of contents

Recommendation 1:

NSIRA recommends that CSE clearly explain, in its applications to the Minister, that:

  • Network-based solutions acquire information relating to a Canadian or a person in Canada (IRTC), including information that interferes with the reasonable expectation of privacy (REP) of Canadians or persons in Canada; and,
  • CSE subsequently uses, analyses, and retains this information for use in cybersecurity and information assurance activities.

CSE response to recommendation 1:

CSE partially agrees with this recommendation.

CSE agrees that the application to the Minister should provide a clear understanding of these elements, and believes each of them have been clearly communicated. CSE’s applications both speak to CSE’s acquisition of this type of information, the subsequent use, and the privacy protections employed.

Recommendation 2:

NSIRA recommends that CSE renew its Memorandum of Understanding with SSC to ensure CSE and SSC meet their respective commitments, including any that CSE makes to the Minister regarding SSC’s role in informing system owners about the NBS program.

CSE response to recommendation​ 2:

CSE partially agrees with this recommendation.

CSE will work with SSC to update the 2014 MOU and ensure that the expectations outlined remain aligned with updated Government of Canada policies, are reflective of current authorities and clearly articulate roles and responsibilities.

There is a valid 2014 MOU between SSC and CSE regarding the provision of Cyber Defence services by CSE to help protect computer systems and networks under the control and supervision of SSC. The MOU clearly states that SSC is the system owner and operator of the enterprise networks where the NBS services are provided and it is SSC’s responsibility to ensure that SSC clients have been informed that CSE will conduct cybersecurity and information assurance activities in order to protect the Government of Canada networks.  

The roles and responsibilities with respect to monitoring, including those of CSE and SSC, are outlined in the Treasury Board Policy on Service and Digital (PSD), which indicates that CSE is responsible for security and monitoring of the networks.

Under the Treasury Board Policy on Service and Digital (PSD), deputy heads are responsible for informing their authorized users of departmental electronic networks and devices of monitoring practices being applied by their own department and by SSC.

SSC, as the system owner, has indicated that it understands its responsibilities under the PSD and its obligations under the MOU with CSE for the provision of cyber defense services as system owner and operator of the enterprise networks where the NBS services are provided.

Recommendation 3:

NSIRA recommends that CSE update Memoranda of Understanding with all of its cybersecurity partners, to ensure these partners have consented to CSE cybersecurity activities, and to ensure these arrangements reflect, and conform to, contemporary governance authorities. CSE should continue these updates, as a standard practice, as authorities evolve.

CSE response to recommendation 3:

CSE partially agrees with this recommendation.

CSE will work with its cybersecurity partners to update the existing MOUs and ensure that the expectations outlined remain aligned with updated Government of Canada policies, are reflective of current authorities and clearly articulate roles and responsibilities.

The findings related to this recommendation are specific to the MOU with SSC. CSE maintains separate MOUs with other departments that are not under the purview of the PSD and/or operating on the networks for which SSC is the system owner and with whom CSE has arrangements to provide NBS services.  These MOUs clearly articulate the cyber defense services the departments are receiving and form the basis of consent between CSE and the system owner. The system owners are fully aware of their responsibilities as well as the scope of cyber defense services being provided on their networks.

Recommendation 4:

NSIRA recommends that CSE explain to the Minister how consent to CSE’s cybersecurity activities is obtained from users of Government of Canada systems, or otherwise explain why this consent could not reasonably be obtained.

CSE response to recommendation 4:

CSE partially agrees with this recommendation. 

CSE agrees that the Minister should be provided information on how consent from users of Government of Canada systems is obtained. CSE’s applications for ministerial authorizations for cybersecurity activities make clear to the Minister that in accordance with standard government practice, federal institutions must advise authorized users that their device or network activity is being monitored for cybersecurity and information assurance purposes. By acknowledging this notification, users demonstrate their consent to the federal system owner with whom CSE has an agreement to provide these cybersecurity services.

Recommendation 5:

NSIRA recommends that CSE reconsider whether limits on the acquisition by CSE of information from the global internet infrastructure (as per subsection 22(4) of the CSE Act) apply to [certain] information. This should include an assessment of whether section 8 of the Charter of Rights and Freedoms may be engaged, as well as cases where [certain] data may contain information that interferes with the reasonable expectation of privacy of a Canadian or person in Canada.

CSE response to recommendation 5:

CSE disagrees with this recommendation.

CSE has already determined the legal limits that apply on the acquisition of information from the global information infrastructure. CSE remains confident in the lawful conduct of its cybersecurity and information assurance activities.

Recommendation 6:

NSIRA recommends that, in order to continue these acquisition activities that are necessary for cybersecurity and information assurance (CSIA) purposes, CSE assess its current sources of CSIA information—that are acquired outside of an Authorization—for interference with the reasonable expectation of privacy of a Canadian or person in Canada. This assessment should be repeated as required to ensure such information is not acquired without a valid Ministerial authorization.

CSE response to recommendation 6:

CSE partially agrees with this recommendation.

CSE’s Program for Operational Compliance (POC) has undertaken an activity to ensure that CSE’s acquisition of certain cybersecurity information meets the prescribed threshold.

As is normal practice, POC will perform an assessment or study of various cybersecurity and information assurance activities to ensure ongoing compliance. Further, when developing new tools or acquiring new information, POC will continue to work with operational staff to ensure that all required practices are put in place prior to implementation or acquisition.

Recommendation 7:

NSIRA recommends that section 27 of the CSE Act be amended to permit the Minister to authorize CSE to acquire information that is necessary for CSE’s cybersecurity and information assurance aspect (but which may contain information that interferes with the reasonable expectation of privacy of a Canadian or person in Canada, or contravene an Act of Parliament), from sources other than federal information infrastructures and systems of importance to the Government of Canada.

CSE response to recommendation 7:

CSE agrees with this recommendation.

CSE agrees that legislative amendments would help clarify the ability of the Minister of National Defence to authorize CSE to acquire cybersecurity information from the GII that interferes with the reasonable expectation of privacy of a Canadian or person in Canada.

Date modified: