Table of contents
- Recommendation 1
- Recommendation 2
- Recommendation 3
- Recommendation 4
- Recommendation 5
- Recommendation 6
- Recommendation 7
- Recommendation 8
- Recommendation 9
- Recommendation 10
- Recommendation 11
- Recommendation 12
- Recommendation 13
- Recommendation 14
- Recommendation 15
- Recommendation 16
- Recommendation 17
- Recommendation 18
- Recommendation 19
- Recommendation 20
- No recommendation
Recommendation 1:
NSIRA recommends that CSE share its operational plans and associated risk assessments with CSIS prior to operating under CSIS authorities.
Related finding(s)
Finding 1: NSIRA found that CSE does not routinely share its operational plans and associated risk assessments with CSIS when operating under CSIS authorities. This may leave CSIS unable to fully assess CSE's activities for compliance.
Government response
- Agree with Recommendation 1
- Partially agree with Finding 1
Explanation
CSE agrees with Recommendation 1 and partially agrees with the associated Finding 1.
CSE agrees with the recommendation to share operational plans with CSIS and in August 2023, issued a policy update to the Assistance chapter of the Mission Policy Suite (sec. 1.3.3) stating that operational plans must be shared and discussed with the requesting organization to ensure compliance with policy and underlying authorities.
With regard to sharing risk assessments with CSIS prior to operating under CSIS authorities, CSE considers risk as part of the overall request for assistance (RFA) process. Risk considerations, including risks associated with the technical equities involved in undertaking an RFA, are included in documentation such as the RFA form and the operational plan.
Given the policy requirement, CSE has been sending these plans to CSIS for their review and approval. The CSIS RFA requestor/client is asked to review the plans, suggest changes and seek clarifications if and where required. CSIS must then approve the operational plan before any activities in support of an RFA begin.
Recommendation 2:
NSIRA recommends that when CSIS engages CSE for assistance with the execution of warranted powers, a CSIS employee be involved to ensure compliance in CSE's collection activities until the request for assistance has terminated.
Related finding(s)
Finding 2: NSIRA found that close collaboration at the working level created the right conditions for CSIS to monitor CSE's assistance activities for compliance with warrant conditions.
Government response
- Agree with Recommendation 2
- Agree with Finding 2
Explanation
CSE and CSIS agree with Recommendation 2, and the associated Finding 2. It is critical that a CSIS employee be involved to ensure CSE collection activities remain compliant until the CSIS request for assistance (RFA) has terminated.
CSIS has taken steps to improve oversight and engagement with CSE through the RFA program. To action this recommendation, CSIS assigns a designated point of contact who engages in frequent meetings with CSE to ensure communications and compliance.
As evident in CSE and CSIS documentation, when CSIS s.12 and s.16 warrants require a Designated Service Employee (DSE), CSE works with CSIS to enable access to the information and/or systems as required, to facilitate their review process.
CSE has also made improvements in the process by requiring that CSIS review and approve the release of s.12 reports, which aligns with the process used for CSIS s.16 reports. Although the DSE conditions only require review of information at the point of collection and retention, this additional step ensures there is a final review prior to any reporting being released.
CSE and CSIS agree with the finding that close collaboration between departments allowed for CSIS to monitor compliance with the warrant during RFA activities.
Recommendation 3:
NSIRA recommends that CSIS develop a process to ensure that necessary requests for assistance are submitted to CSE in a timely manner subsequent to obtaining warrant powers.
Related finding(s)
Finding 3: NSIRA found that CSIS failed to submit an updated request for assistance to CSE in a timely manner when it sought new warrant powers.
Government response
- Agree with Recommendation 3
- Partially agree with Finding 3
Explanation
CSIS agrees with Recommendation 3 and has already implemented internal procedures and mechanisms to ensure that requests to CSE are submitted promptly following the issuance of new warrant powers. CSIS' review of RFA programs are ongoing.
CSIS partially agrees with Finding 3 that its submission of an updated RFA was not timely. Submitting an RFA depends on a variety of factors; this includes pending operational changes, requirements or warrant conditions which can delay the renewal or sharing of an updated RFA. Therefore, "timely" is not a standard that can be applied uniformly. CSIS renews RFAs based on operational considerations and follows an established process for approvals and review.
In this case, CSIS's initial RFA submitted to CSE clearly indicated an expiry date, of which CSE was aware. CSE is also aware that it cannot support a CSIS warrant without an active RFA. While the finding is accurate, timeliness of it was not the cause of the issues highlighted.
Recommendation 4:
NSIRA recommends when working under a request for assistance CSIS and CSE develop a framework for joint investigation of potential compliance incidents.
Related finding(s)
Finding 4: NSIRA found that CSE and CSIS did not engage in any joint investigation, assessment, or tracking of a compliance incident.
Government response
- Agree with Recommendation 4
- Agree with Finding 4
Explanation
CSE and CSIS agree with the Recommendation 4 and the associated Finding 4.
The compliance units of CSE and CSIS now have a relationship that ensures information pertaining to incidents of non-compliance for joint operations is shared and communicated. CSIS and CSE will formalize a procedure to ensure proper tracking of the instances and to increase collaboration and communication amongst the compliance units of both organizations.
Recommendation 5:
NSIRA recommends that CSIS ensure roles and responsibilities are clearly agreed to prior to allowing partners to execute warrant powers. Where appropriate, these agreements should be shared with the Federal Court.
Related finding(s)
Finding 5: NSIRA found that CSE and CSIS failed to implement an effective operational framework for their collection activity. This contributed to two instances of noncompliance with the Federal Court's direction.
Government response
- Agree with Recommendation 5
- Agree with Finding 5
Explanation
CSIS agrees with Recommendation 5 and the associated Finding 5. The current RFA process is under review to ensure that roles and responsibilities are clearly agreed to prior to engaging with partners to execute warrant powers.
As an example, CSIS and CSE are finalizing a formal agreement with an external partner relating to the execution of warrant powers and will be sharing it with the Federal Court prior to implementation.
CSIS will work with the Department of Justice to ensure that any agreements with partners to execute warrant powers are brought to the attention of the Federal Court as appropriate.
Recommendation 6:
NSIRA recommends that CSIS ensure it is directly involved in all substantive communications with any partner actively executing its warrant powers.
Government response
- Agree with Recommendation 6
Explanation
CSIS agrees with Recommendation 6 and will be directly involved in substantive communications with any partner actively executing its warrant powers whenever possible.
There may be instances where CSIS's direct communications with international partners, whose assistance is brokered by CSE, is not possible. In such circumstances, CSE will promptly notify CSIS of any issues or concerns relevant to the execution of its warrant authorities raised by the international partner.
CSIS and CSE agree that CSIS will be included in substantive communications between CSE and the international partner where partners are operating under CSIS authorities.
Recommendation 7:
NSIRA recommends that CSIS share paragraphs 32 through 41 of this review, along with associated recommendations, with the Federal Court.
Government response
- Agree with Recommendation 7
Explanation
CSIS and Department of Justice agree with Recommendation 7. The report will be filed with the Federal Court, subject to redaction for solicitor-client and/or litigation privileges.
Recommendation 8:
NSIRA recommends that when CSE engages in joint operations with CSIS it should perform risk assessments for each operational activity. These should specifically consider the risk of targeting Canadians and implement proactive measures to mitigate this risk.
Related finding(s)
Finding 6: NSIRA found that CSE and CSIS identified an effective opportunity to collaborate under their respective mandates and carried out an operation that proved beneficial for both Canada and its allies.
Finding 7: NSIRA found that, while CSIS's operational framework was sufficient, CSE's operational framework did not assess legal and policy risk specific to the operation.
Government response
- Agree with Recommendation 8
- Agree with Finding 6
- Partially agree with Finding 7
Explanation
CSE agrees with Recommendation 8 and the associated Finding 6, and partially agrees with Finding 7.
CSE agrees that it collaborates with CSIS to identify and pursue opportunities to advance government intelligence priorities under their respective mandates.
The framework used by CSE at the time to assess the operation prompted consideration of legal and policy risks, but it did so inadequately. The framework has since been updated. CSE will update the operational risk assessment process to better capture the risk of targeting Canadians and associated mitigations when performing joint operations with CSIS.
Recommendation 9:
NSIRA recommends that when participating in joint operations, CSE and CSIS either jointly develop or share written terms of engagement, operational plans, and risk assessments.
Related finding(s)
Finding 8: NSIRA found that CSE and CSIS did not draft joint terms of engagement, a joint operational plan, or engage in joint risk assessments.
Government response
- Agree with Recommendation 9
- Partially agree with Finding 8
Explanation
CSE and CSIS agree with the Recommendation 9 and partially agree with the associated Finding 8.
CSE acknowledges that it did not draft joint terms of engagement or an operational plan with CSIS. However, internal terms of engagement outlined roles and responsibilities within CSE for communication, along with risk mitigation measures, which in turn informed regular engagement with CSIS.
CSE agrees that the sharing of terms of engagement, operational plans and risk assessments is important and notes that in some cases it already occurs. CSE will strengthen processes to ensure that said sharing takes place more consistently and forms a part of operating procedures.
CSIS procedures to support joint operations, joint operation approval requests, and their associated risk assessments can be found in operational approval request and travel policy documents. As of April 2023, CSIS has further codified the principles to support the conduct of operations that apply to joint operations in CSIS Policy.
CSIS agrees that joint operations with domestic partners could involve better coordination of operational plans and risk assessments. CSIS will develop better processes for the sharing of relevant risk information in joint operations with CSE.
Recommendation 10:
NSIRA recommends that CSE perform foreignness assessments that account for the increased risk of targeting Canadians when working with CSIS.
Related finding(s)
Finding 9: NSIRA found that CSE's foreignness assessment did not account for the increased risk of targeting Canadians when working with CSIS.
Government response
- Partially agree with Recommendation 10
- Disagree with Finding 9
Explanation
CSE partially agrees with Recommendation 10 and disagrees with the associated Finding 9.
The nature of CSE foreign intelligence activities are such that there will often be incomplete information available regarding a target prior to SIGINT acquisition commencing. A foreignness assessment is conducted prior to targeting based on the information available at the time, including any information available to CSE regarding Canadians or persons in Canada. A foreignness assessment is conducted on a 'reasonable grounds to believe' standard and as new information is discovered it is evaluated to ensure the threshold continues to be met.
CSE has made improvements to the process it uses for the receipt of disclosures from CSIS. The new process is designed to help identify risks upfront to assist with foreignness assessments and operational planning.
During the operation in question, measures were in place to mitigate the risk of inadvertently targeting Canadians or persons in Canada.
Recommendation 11:
NSIRA recommends CSIS cease making requests for action and/or further information to CSE in relation to Canadians or people in Canada via CSIS lead information messages.
Related finding(s)
Finding 11: NSIRA found that CSIS's use of lead information messages to share information and make requests about Canadians creates a high risk of potential for noncompliance for CSE.
Government response
- Disagree with Recommendation 11
- Agree with Finding 11
Explanation
CSIS disagrees with Recommendation 11, but agrees with the associated Finding 11.
A complete cessation of such requests would have a negative impact on CSIS's ability to investigate threats to Canada's national security. To advance its operations, CSIS needs to leverage CSE's expertise on an ongoing basis. Per s.19(2) of the CSIS Act, CSIS may disclose information for the purposes of the performance of its duties and functions.
CSIS engages CSE on various national security files. In some cases, this engagement includes sharing certain information that CSIS assesses may be relevant to CSE's foreign intelligence mandate. This information is assessed by CSE for further use in accordance with its own legislation, governance frameworks and policies. In other cases, CSIS shares lead information related to Canadians that are subject to warrants issued under s.21 of the CSIS Act in order to leverage CSE's capabilities via an RFA.
When CSE's capabilities are leveraged via an RFA, CSE is acting under the assistance aspect of its mandate, which allows it to operate under the authorities of the requesting agency. CSIS does not request that CSE collect information on Canadians outside of an RFA.
CSIS provides lead information that may include incidental information about Canadians and identifies when there is a Canadian nexus to help CSE avoid circumstances in which they may inadvertently collect on Canadians. If adopted, Recommendation 11 would in fact lead to more compliance issues than not.
Regarding Finding 11, CSIS agrees that there is a risk for potential noncompliance by CSE. To mitigate that risk, CSIS will develop and implement procedures and training on the disclosure of CLIs to CSE, especially when there is a nexus to Canadians.
Recommendation 12:
NSIRA recommends that CSIS develop policies, procedures, and analyst training to standardize the disclosure of CSIS lead information messages to CSE.
Related finding(s)
Finding 10: NSIRA found that both CSE and CSIS lack policies, procedures, and accountability mechanisms to govern CSIS lead information messages and associated requests and actions.
Government response
- Agree with Recommendation 12
- Partially agree with Finding 10
Explanation
CSIS agrees with the Recommendation 12 and partially agrees with Finding 10.
CSIS has a suite of policies, procedures and mechanisms in place that govern RFAs. This governance is applied when engaging CSE via CLIs that are deemed strictly necessary (as noted within the CSIS Act and internal CSIS policies). CSIS also uses standardized templates to communicate and record operational correspondence and exchanges.
CSIS will continue to evolve its policies and procedures. This includes a commitment to improved analyst training that will standardize the disclosure of CLIs.
Comprehensive training for both CSIS and CSE will promote a better understanding of each agency's mandate and policies. CSIS agrees there should be greater communication between the two organizations when there is a change in policy that would impact the operational relationship between CSE and CSIS.
Recommendation 13:
NSIRA recommends that CSE develop policies, procedures, and analyst training to standardize the use of CSIS lead information messages.
Related finding(s)
Finding 10: NSIRA found that both CSE and CSIS lack policies, procedures, and accountability mechanisms to govern CSIS lead information messages and associated requests and actions.
Government response
- Agree with Recommendation 13
- Agree with Finding 10
Explanation
CSE agrees with Recommendation 13 and the associated Finding 10.
CSE agrees that, at the time of the review, there were no centralized procedures or accountability mechanisms for incoming disclosures of lead information to CSE. CSE agrees to implement a centralized method to track/account for disclosures of lead information from Government of Canada agencies.
Recommendation 14:
NSIRA recommends that CSE develop a regime for collecting, retaining, and reporting to CSIS Canadian information it uncovers further to legitimate foreign intelligence activities where it has advance knowledge of the Canadian information.
Related finding(s)
Finding 12: NSIRA found that CSE's application of incidental collection provisions may not be appropriate in situations where CSE knows there is a Canadian nexus to a CSIS foreign intelligence lead, and where it knows it is likely to collect Canadian information in pursuing the lead.
Government response
- Disagree with Recommendation 14
- Disagree with Finding 12
Explanation
CSE disagrees with Recommendation 14 and the associated Finding 12.
While CSE agrees in principle with this recommendation, CSE policy and training make clear that targeting a foreign entity with the objective of acquiring information on a Canadian or person in Canada (i.e., reverse targeting) is prohibited. The prohibition is clear and absolute, thus, CSE does not believe that there is a need for a new policy regime. Furthermore, requirements for privacy protection measures governing the retention, reporting and disclosure of incidentally collected information related to a Canadian or person in Canada are already in place.
NSIRA's finding was based on a specific CSE intelligence report that included some incidentally collected information related to a Canadian or person in Canada. CSE disagrees with NSIRA's determination that the report did not contain any valid foreign intelligence.
Recommendation 15:
NSIRA recommends that CSE update its policies to prohibit the analysis of information relating to a Canadian or person in Canada for the purposes of identifying foreign intelligence.
Related finding(s)
Finding 13: NSIRA found that CSE did not comply with section 22(1) of the CSE Act when it analyzed [Canadian's information] obtained through a CSIS lead information message.
Government response
- Agree with Recommendation 15
Explanation
CSE agrees with Recommendation 15 and takes note of Finding 13.
Section 22(1) of the CSE Act clearly prohibits the direction of activities at a Canadian or person in Canada for foreign intelligence purposes. CSE understands the importance of upholding this critical aspect of its enabling legislation and considers lawfulness to be a core corporate value.
CSE will review the current version of the MPS and adjust language and policy training material for operational analysts, if necessary, to address any ambiguity around what actions are permissible.
Recommendation 16:
NSIRA recommends that if CSIS decides to disclose exceptional reporting to CSE, it should extract the relevant foreign intelligence for disclosure as opposed to sending the entire report.
Related finding(s)
Finding 14: NSIRA found that CSE did not comply with either section 22(1) of the CSE Act or section 273.64(2)(a) of the National Defence Act (NDA) when it used [a specified number] of complete exceptional reports for foreign intelligence purposes.
Government response
- Disagree with Recommendation 16
Explanation
CSIS disagrees with Recommendation 16. CSIS will exercise its discretion on a case-by-case basis to assess when and how to provide exceptional reporting to CSE. It is sometimes important to provide fulsome context to CSE to make a well-informed assessment. CSE is best positioned to decide what falls within its own mandate; CSIS is not responsible for extracting information that may not meet CSE's mandate.
Recommendation 17:
NSIRA recommends that CSE cease using complete exceptional reports from CSIS under its foreign intelligence mandate.
Related finding(s)
Finding 14: NSIRA found that CSE did not comply with either section 22(1) of the CSE Act or section 273.64(2)(a) of the National Defence Act (NDA) when it used [a specified number] of complete exceptional reports for foreign intelligence purposes.
Government response
- Disagree with Recommendation 17
Explanation
CSE disagrees with Recommendation 17 and takes note of Finding 14.
CSE does recognize that the previous process would benefit from adjustments. CSIS may still disclose exceptional reports to CSE, either in part or as a whole, when it deems it necessary, via a new disclosures process that was put in place in early 2024 in response to Recommendation 13 (above). The new process will require the disclosing entity to specify the foreign intelligence information within the disclosed information.
Recommendation 18:
NSIRA recommends that CSE introduce a requirement to always apply the protected entity tool to all Canadian identifiers.
Related finding(s)
Finding 15: NSIRA found that CSE does not consistently utilize its protected entity tool to prevent targeting Canadian identifiers it receives from CSIS.
Government response
- Disagree with Recommendation 18
- Partially agree with Finding 15
Explanation
CSE disagrees with Recommendation 18 and partially agrees with the associated Finding 15.
Adopting this recommendation would result in CSE retaining information on Canadians or persons in Canada in its holdings at a level that would be disproportionate to the objective being sought. Currently, selectors that are obviously Canadian (e.g., gc.ca email addresses) would be screened out as part of CSE's targeting process, thus adding them to the protected entity list would be redundant and result in CSE holding information about Canadians or persons in Canada unnecessarily. Conversely, using the protected entity tool, as CSE currently does, to record selectors that initially appear to be foreign, but are discovered to be Canadian upon further analysis, results in a tool that provides a value-added mechanism to mitigate the risk of inadvertently targeting Canadians or persons in Canada.
CSE uses the protected entity tool extensively in circumstances where doing so is appropriate, but it recognizes that there has been some inconsistency in how it is used. As such, CSE will update its policies and procedures to help address the inconsistencies.
Recommendation 19:
NSIRA recommends that CSIS pursue routine engagement with CSE during the implementation of its Threat Reduction Measures when the potential for operational overlap exists.
Related finding(s)
Finding 16: NSIRA found that while CSIS performs an initial consultation, it does not routinely pursue further engagement with CSE during Threat Reduction Measure activities that could overlap with CSE activities.
Government response
- Agree with Recommendation 19
- Partially agree with Finding 16
Explanation
CSIS agrees with Recommendation 19. CSIS engages in routine consultations with CSE prior to implementing TRMs that could overlap with CSE activities.
CSIS partially agrees with the associated Finding 16. CSIS agrees that there have been some instances where CSE was only consulted on TRMs at the preliminary phase, however ongoing consultations have been a regular occurrence for other TRMs that could overlap with CSE activities. This includes recurring, frequent de-confliction meetings with other government departments.
Recommendation 20:
NSIRA recommends that CSE share details of potential compliance incidents with CSIS when an overlap may exist with a CSIS Threat Reduction Measure.
Related finding(s)
Finding 17: NSIRA found that CSE did not notify CSIS in a timely manner of a compliance incident in its Active Cyber Operation, which was connected to a CSIS Threat Reduction Measure.
Government response
- Agree with Recommendation 20
- Disagree with Finding 17
Explanation
CSE agrees with Recommendation 20 and disagrees with the associated Finding 17.
CSE disagrees that CSE did not notify CSIS of the incident, as CSE did notify CSIS and notes that in this case CSIS had already ceased TRM activities. CSE is not always notified in a timely manner of CSIS TRM activities or their status. However, CSE agrees that in general and where possible, it notifies CSIS of compliance incidents which may impact CSIS operations. CSIS and CSE support creating a formalized procedure to ensure proper tracking of compliance incidents and to increase collaboration and communication amongst the compliance units of both organizations.
No recommendation
Related finding(s)
Finding 18: NSIRA found that CSE failed to cooperate effectively with CSIS, leading to a missed opportunity to advance Canadian intelligence objectives via domestic collaboration.
Government response
- Partially agree with Finding 18
Explanation
CSE partially agrees with finding 18.
CSE disagrees that there were missed opportunities to advance intelligence objectives. CSE will continue to provide CSIS with technical advice and, to date, CSE has supported every RFA received relating to the operation in question. CSIS' goal for this potential opportunity would require a significant amount of resources, in terms of people, capability development, and hardware. CSE has and will continue to have technical discussions with CSIS and support related RFAs in order to assist CSIS in meeting its intelligence objectives in a way that aligns with CSE's available resources.