Chief Shelly Bruce’s speech for Centre for International Governance Innovation, May 18, 2021

[CHECK AGAINST DELIVERY]

Hello, and thank you Aaron for that introduction.

As Aaron said, my name is Shelly Bruce and I am the Chief of the Communications Security Establishment -- the most important government agency you’ve never heard of.

I’m exaggerating. But not by much.

According to a recent survey, when given a description of our mandate, only 3% of Canadians could name CSE as the government agency in question. More than 80% hadn’t a clue. 11% thought we were CSIS.

And for most of our 75-year history, that would have suited us just fine.

But things are changing, and I can tell you with some degree of certainty, that you will be hearing a lot more from CSE in future. But I’ll get to that in a minute.

But first, we need a short primer - who ARE we, and what DO we do?

CSE is Canada’s national cryptologic agency.

That’s an erudite way of saying code-making and code-breaking.

And that, in turn, is an oblique way of saying that CSE has a rich history of foreign signals intelligence and communications security dating all the way back to the Second World War.

What began as a signals corps in support of the British War effort quickly became joined up military and civilian signals intelligence operations. By the end of the war, the Canadian intelligence efforts had exceeded all expectations and demonstrated just how effective and important these capabilities could continue to be in the US-Commonwealth partnership in the emerging post-war era.

Formally established in 1946, the Communications Branch of the National Research Council, or CBNRC, became that cryptologic agency. In 1975, the CBNRC was renamed the Communications Security Establishment, under the Department of National Defence.

That means that this year we are celebrating 75 years of national leadership as Canada’s foreign signals intelligence agency and communications security agency. And while the Government’s priorities have changed to keep pace with the issues of the day, and while technology has changed beyond recognition in the last three-quarters of a century, the bedrock of our mission has not – we continue to provide an information advantage to Canada’s decision makers and to protect nationally important systems and information.

We are very proud of the work of our cryptologic predecessors, some more well-known than others, for the work that they did in responding to real world events, and in laying some important foundations in computer science, mathematics, and artificial intelligence.

And that’s why you’ll hear more from CSE in the future. Because there is a direct line from our traditional stock in trade to the challenges Canada faces today.

Today, we live in a cyber world. And that is CSE’s wheelhouse.

And our people are at the very centre of that wheelhouse.

Today, we have brilliant engineers and mathematicians. Code-makers and codebreakers. Linguists and analysts. We also have researchers, computer and data scientists and software developers. Cyber security and malware analysts and reverse-engineering specialists. And they are supported by other, talented teams across the organization who are also dedicated to the mission of keeping Canada and Canadians safe.

We are technical to our core. We are dedicated to continuous innovation. And we are committed to diversity and teamwork. Because the problems we face keep growing in complexity and we need those different perspectives, skills and mindsets to tackle them.

CSE’s thought leaders continue to trailblaze modern day solutions for Canada, just as their predecessors did.

So that, in a nutshell, is our history. This is who we are and what we do.

Just one more thing before we dive into the discussion on cyber security readiness.

I’d like to take a moment to reinforce the importance of our foreign intelligence mission.

It’s really hard to convey just how much CSE has had to innovate over the past seven and a half decades to keep up with the dynamic global communications and technology environment. But we have, and we’ve maintained our solid track record of providing information about the motivations, intentions, capabilities, and activities of Canada’s foreign intelligence targets.

And, today we continue to deliver unique, timely and useful foreign intelligence regarding global issues, crises or events that affect Canada.

Our foreign intelligence also helps protect and support deployed Canadian military missions. It helps Canadian security partners disrupt terrorist and extremist threats to Canada, as well as counter espionage, foreign interference, and transnational crime.

If there’s one thing we’ve discovered over the years, it’s that—just like everybody else—traditional threat actors are taking advantage of today’s cyber environment to support and advance their activities.

These wide-ranging foreign intelligence insights are important for Government decision and policy makers on a day-to-day basis, but also in the context of today’s specific conversation.

It should come as no surprise to any of you that our foreign intelligence program also sheds light on global cyber threats—whether they’re state-sponsored or criminal—as the people behind the keyboards assess their opportunities, craft campaigns and exploit systems to gather our secrets, intellectual property, personal and financial data, to extort money, or to position themselves for more malign, more disruptive purposes.

So now that we are caught up and properly acquainted, let me get to why all of these foundations matter when it comes to cyber security in the 21st century.

Canadians have always been early adopters of technology and we are very comfortable online. The pandemic has only reinforced and accelerated that trend.

Today we consider this kind of Canadian technological embrace a distinct national advantage. It underpins Canada’s prosperity and competitiveness, and it also affects Canadians’ quality of life… just imagine how we would have coped during the pandemic without being able to live and work online the way we did. The way we still do.

But while there are benefits to be gained from adopting emerging technologies and being plugged in, we are reminded everyday about the risks they carry. Risks to our privacy, our economic security, and even our personal safety and physical wellbeing.

I’d like to give you a quick tour of the cyber threat landscape as we see it. And then I’ll talk about what CSE is doing to help mitigate cyber risks.

The bottom line (and spoiler) here is that the threat and risk surface is growing, and the slate of players looking to exploit both human and technical vulnerabilities is also growing.

Our aperture of classified, sensitive, and open sources tells us a few interesting things.

First, we know that cybercrime is the most prevalent, most pervasive threat to Canadians and Canadian businesses. Online fraud, ransomware exploits, the theft of personal data. These are big business. And with cyber threat actors selling their tools and skills online, you don’t even need technical expertise to be a cybercriminal these days. It is a full-service industry, one that even features helpdesk support.

Critical infrastructure and large enterprises are the most lucrative ransomware targets, because they are the least able to tolerate operating disruptions and they have the deepest pockets.

But we also know that state-sponsored threat actors are probing Canada’s government systems and national critical infrastructure, such as the electricity grid, for their own strategic intent.

To be clear, without international hostilities, we don’t think that state-sponsored actors would choose to turn off the lights in Canada, but you can be sure they are seeking these capabilities, for when and if they need them.

And as the operational technology used to control critical infrastructure and industrial systems becomes more Internet-connected, the threat surface expands and becomes more complex. And we all know that with increased complexity comes increased risk.

Cyber threat actors of all kinds are interested in Canadian intellectual property. They target start-ups, businesses, academia, government departments, research organizations… They are targeting those with valuable information that can be used for financial gain or strategic advantage, or both. For example, during the pandemic, we saw cyber actors zero in on vaccine research organizations in Canada. Widespread, systematic commercial espionage robs Canada of its innovation edge, to the detriment of our future prosperity, and our competitiveness.

State actors also seek to influence political discourse, sow discord, and undermine trust in democracy by spreading information on an industrial scale. This is no longer limited to election periods. It is a constant, ongoing global phenomenon. And even if Canada is not in the specific crosshairs of a directed campaign, the interconnectedness of our global information spaces means we will feel the collateral impact of these efforts.

These are just a few examples, a snapshot of the threats we face.

If you want a comprehensive overview of Canada’s cyberthreat challenges, I highly encourage you to read CSE’s 2020 National Cyber Threat Assessment. It’s available in all good bookstores now.

I’m kidding. It’s available online, and it’s free, at Cyber.gc.ca.

Cyber security is not abstract. Cyber systems, digital systems, they do not exist in a vacuum. They exist in relation to people with real-world implications for their privacy, their prosperity, their wellbeing.

I know this all sounds a bit dire. But the good news is that we can all play a role in offsetting these cyber risks and creating a Canadian culture of cyber security.

Here is what CSE brings to the table.

There have been a couple major developments over the past years that have helped position us to be a more effective leader in this space.

The first came in 2018. The Canadian Centre for Cyber Security was created, bringing together decades of mission expertise from across the federal government and uniting it under one roof, as part of CSE. The Cyber Centre has an outward-facing role, with a mandate to work with industry and academia to raise the cyber security bar across Canada. They are the ones who write the National Cyber Threat Assessment. The Cyber Centre website is packed with foundational cyber security guidance as well as specific technical advice aimed at different audiences. Again… cyber.gc.ca. I highly recommend you check it out.

To give one topical example, the Cyber Centre has been particularly focused over the past year on pandemic-related cyber matters. We work in partnership with Canada’s health sector on this, alerting them to threats, offering specific indicators of technical advice, hands-on assistance, and cyber security training. Right now, the Cyber Centre teams are helping to protect the vaccine rollout from cyber compromise.

The second major development was the overhaul of our governing legislation.

In 2019, Parliament passed The CSE Act. A mutually reinforcing, multi-part mandate that positions us to help address Canada’s cyber challenges.

Part one: foreign intelligence. I’ve already mentioned that we are the national authority for foreign signals intelligence, meaning we target, access, decode and analyze foreign communications in response to the government’s intelligence priorities.

Part two: we are the national technical authority for cyber security, meaning we can provide cyber defences not only for the federal government, but also for designated non-federal systems, for example in national critical infrastructure.

Part three: we can conduct foreign cyber operations, meaning we can take action online to defend and advance Canada’s interests in cyberspace.

And, CSE is also mandated to use our technical expertise to assist federal partners, including the Canadian Armed Forces, to conduct cyber operations under their own mandates and in line with their own authorities. This avoids replicating costly capabilities across government.

CSE’s integrated, legislated mandate was designed to discover, detect, identify, respond to and ultimately help deter cyber threat actors. Our authorities allow us to work with a broad range of partners with whom we can amplify our unique technical and operational value.

So where do we start?

Cyber threat actors need three things to be effective: motivation, capability and opportunity. Our job is to degrade one or more of those variables in a way that undermines their overall chances of success.

So, for CSE, the first order of business is to raise the domestic cyber security bar. This might also be called “the best defence is a good defence”.

We must make Canadian cyberspace a harder target.

We must raise the costs to those who want to access our information and our information systems.

We must build a national culture of cyber security collaboration, based on strong partnerships and best practices.

And, when things go wrong, we must respond swiftly and effectively.

As a federal government agency, we started a couple decades ago by turning our attention to the systems that were in our own backyard. Today, CSE’s Cyber Centre works closely with government partners at Treasury Board and Shared Services to safeguard Canada’s federal networks.

CSE has learned a lot over this time, designing and operating extensive arrays of network and host-based sensors to protect the sensitive information that resides on these systems.

Every day, we block billions of cyber actions against departments and agencies that are within the protective perimeter. Our defences are fueled by artificial intelligence and are constantly refined based on what we learned day in and day out. This is how we protect Canada’s secrets, our research, our intellectual property, and the personal data of Canadians.

So the federal public system is well protected. What about the private sector? CSE plays a broader national role. We take the unique knowledge that we acquire from federal sensoring and from our classified foreign intelligence operations and we incorporate those insights into our public threat assessments, and our practical guidance and support for Canadian businesses.

We publish alerts and advisories when urgent information is required, like in the case of the Solar Winds and Microsoft Exchange cases.

We have built strong international partnerships over decades that have created trusted foundations to allow us to share both technical and threat information.

We also share indicators of compromise with private sector partners whenever those can help bolster the defences of those who might be targeted.

And we share tools and solutions that we have developed in house. One of these, a malware analysis and detection tool called AssemblyLine, has been downloaded about 3 thousand times by leading Canadian and international companies. And we are now seeing cyber security experts and open-source developers around the world building on it and making it even better.

We work very closely with our domestic partners in the telecommunications, energy, finance, transport and, especially this past year, the health sector. We’ve helped to raise the bar for those fighting the pandemic, whether they are in government, hospitals, health research, universities or part of the vaccine development and roll out.

We also take what we learn through our mission and apply it to make the Internet safer for Canadians.

At the national level, our threat feed is incorporated into Canadian Shield, a free, downloadable app from the Canadian Internet Registration Authority that blocks users from inadvertently connecting to malicious websites. Since it was first offered a year ago, more than 20 million malicious domain connections have been blocked by Canadian Shield.

We are also making it harder for malign cyber actors to spoof Government of Canada domains. Since last March, we have worked with private sector partners to remove over 7000 malicious domains that were posing as official government sources. This has been especially important during the pandemic. The Public Health Agency of Canada and websites related to the Canada Emergency Response Benefit were among the most frequently impersonated domains. This has helped reduce the risk that Canadians will encounter misinformation, being defrauded or be lured into phishing campaigns to steal their information.

Then there’s our Get Cyber Safe campaign. It’s an ongoing program offering rock solid, easy-to-implement cyber security advice in an informal way that sometimes borders on cheeky, to try and get people’s attention.

The ultimate goal of Get Cyber Safe is to arm thirty-eight million Canadians with the basics so they can take up their place as Canada’s front-line of cyber defenders.

Check it out on social media as well. You’ll see what I mean.

So these are just a few examples of how we are trying to raise the bar domestically so that the costs to cyber threat actors are high enough that it makes them think twice before they take the effort to exploit Canadian targets.

But Canada doesn’t exist in a vacuum. Even the best domestic posture needs to consider Canada’s place in the global cyber context and as part of an international community of likeminded countries who are committed to an open, secure, safe, accessible and inclusive internet.

So, if our first goal is raising the Canadian cyber security bar, our second goal is to create stability and predictability in global cyberspace.

How do we do that?

Canada has been working with international partners to set parameters around what is considered responsible cyber behaviour and then promoting these parameters as agreed upon cyber norms. CSE supports our colleagues at Global Affairs who are leading this particular effort along with multilateral groups and allied partners, and who are developing Canada’s International Cybersecurity Strategy and our Diplomacy Initiative.

Setting normative behaviours is vitally important.

It positions Canada and others to respond when our national interests are threatened by what we consider irresponsible cyber behaviour. Our response can draw from a wide range of traditional measures, including diplomatic interventions or even public attributions. Over the past several years, we’ve not shied away from calling out irresponsible cyber behaviour when we believe those actions have crossed lines.

Of course, Canada must not just advocate for, but also respect those evolving cyber norms.

Parliament gave CSE a mandate to use our technical capabilities responsibly in cyberspace--beyond intelligence gathering--to protect and advance Canada’s interests in the areas of international affairs, defence and security. And that includes taking action to disrupt irresponsible behaviours online.

These authorities and the activities that are conducted under them are really important tools in Canada’s toolkit.

But we must make sure that they fall clearly inside the parameters of normative behaviours in cyberspace.

The CSE Act reinforces Canada’s position on what constitutes reasonable, proportionate behaviour in cyberspace, and that is aligned with international law as well as Canadian values.

Canada’s foreign cyber operations must respond to broader Government of Canada priorities. They must fit within the limits proscribed by law and policy, and they must be authorized by the Minister of National Defence, in consultation with the Minister of Foreign Affairs. Canada’s foreign cyber operations must respond to broader Government of Canada priorities. They must fit within the limits proscribed by law and policy, and they must be authorized by the Minister of National Defence, in consultation with the Minister of Foreign Affairs.

It is not appropriate obviously to speak of specific efforts here, but it is worth noting that our foreign cyber operations are subject to review by independent external bodies.

So, when we take all of this together, these efforts – raising the bar, defining normative behaviours, setting an example in cyber space, all of these can help improve Canada’s cyber readiness and our digital resilience. They won’t entirely eliminate motivation, or capability, or opportunity, but they will introduce new barriers and raise cautions that will deter some threat actors. And ultimately, this will allow us to focus on those who are most determined to get what they are after.

In closing, let me say this.

CSE is committed to helping Canada protect its information and its national critical infrastructure. And we’re committed to creating a secure digital ecosystem for Canada.

Our mandate positions us to see threats, to prepare for them, to block them, to respond to them, and, over time, hopefully help deter them.

Our culture of innovation and experience, our diversity and our expertise are shaping our approach to this mammoth problem, but CSE alone cannot do this.

Government alone cannot do this.

This is a whole-of-society concern, and it requires a whole-of-society approach.

In every one of today’s examples, you heard about the partners with whom we work and through whom we amplify our unique value on a national, and sometimes international scale.

That’s why CSE is opening up in so many new directions – to continue building those partnerships.

That’s why, hopefully, Canadians will come to understand who we are and what we do.

In some ways, it’s still a little bit out of our comfort zone.

But on the other hand, helping Canada and Canadians be safer through pathfinding innovation and technical excellence… well that’s just in our DNA.

So I’m confident.

I’m confident that if we each play our role—government, private sector, and individual Canadians—we can be more prepared and more resilient together.

And we can come to think of the internet as not a place where threats lurk, but as a place where we can promote digital trade and advance Canada’s interests, and where Canadians can ultimately, confidently, safely, live and work online.

Date modified: