Transition binder for the Honourable Anita Anand, Minister of National Defence

Introduction to Communications Security Establishment (CSE)

October 2021

• • • Letter to the Minister

      Dear Minister Anand,

      Welcome to your new role.

      As Minister of National Defence, you are the Minister responsible for the Communications Security Establishment (CSE). As your Deputy Minister for CSE, I look forward to discussing how our mandate and expertise can help deliver the Government’s commitments and priorities. This letter is meant to introduce you to CSE’s national roles and value, our current and future priorities, our culture, and your responsibilities in relation to our authorities.

      In short, CSE is Canada’s lead operational agency for the cyber domain. We have a legislated mandate to conduct cyber operations in Canada’s interests, from producing foreign intelligence to securing and defending Canada’s digital infrastructure. Under your leadership, CSE’s mandate and expertise can help give Canada an information advantage, raise our cyber security bar, and increase the costs to those who would seek to undermine our economy, our privacy, our reputations and competitiveness, and our national security. Through deliberate, responsible action we can better secure and reap the benefits of the financial investment Canada makes in our national digital infrastructure.

      In the near term, there are opportunities to bolster Canada’s cyber resilience that will require your attention, including:

      • Implementing new measures to enhance the security of Canada's critical infrastructure and economy against cyber threats, including ransomware. This will require collaboration with the Minister of Public Safety and the Minister of Innovation, Science and Industry, and close partnership with the private sector, provinces and international partners. Cyber security is a whole-of-society concern, and the Government can show leadership, share expertise and also leverage its standard-setting role in federally regulated sectors to help increase national resilience as well as a reliable partner to the U.S. when it comes to continental cyber defence.
      • Defining Canada’s approach to cyber operations and the responsible use of cyberspace including by clarifying the roles for CSE and the Canadian Armed Forces (CAF) as they relate to active cyber operations. Together with the Minister of Foreign Affairs and international partners, Canada can continue to help define parameters for responsible state behaviour in cyberspace, even as we conduct operations in line with Canadian values and international law to defend and advance Canada’s interests in international affairs, defence and security.
      • Further securing the Government of Canada’s digital infrastructure, including by working with the President of the Treasury Board to protect Canadians and their information by securing the next generation of GC infrastructure, and ensuring that cyber security best practices and assessments are part and parcel of new GC initiatives and procurement. Lastly, we will continue working with GC organizations, such as Crown Corporations, to take advantage of CSE’s advanced cyber defences. 

      We will also support your Government’s platform commitments and priorities through CSE’s foreign intelligence mission, providing timely, relevant and useful intelligence to you and your Cabinet colleagues on emerging priorities, strategic issues and crises. For example, you will expect CSE to produce foreign intelligence on a wide range of threats to Canada to inform our approach to continental defence. Specifically, our mandate also includes authorities to help defend against those threats, and in particular cyber threats—regardless of whether they are from foreign states, militaries or criminals. I am confident, as well, that you will find CSE delivers our mandate in a way that reflects the Government’s commitment to innovation, transparency, diversity and inclusion.

      As we look to the future, it may be helpful to take a quick look back at CSE’s contributions to the Government’s pandemic response as a practical example of how our mandate, authorities and expertise can be quickly and usefully mobilized to address emerging Government priorities. 

      CSE’s COVID-19 activities

      Below are some examples of how CSE surged efforts throughout the pandemic in support of Canadians, the health sector and the GC, by:

      • forging a partnership with the Public Health Agency of Canada and meeting weekly with over 200 health sector organizations to provide cyber threat information and targeted advice on how to protect vaccine supply chain, warehouses, hospitals and administration sites;
      • publicly alerting and advising Canadians about new cybercrime campaigns using COVID themes to defraud and steal personal information;
      • protecting the Government’s trusted brand by working with private sector partners to take down almost 10,000 on-line domains “spoofing” legitimate GC entities;
      • developing new, secure technology that allowed Government, Ministers and senior officials to work more effectively and more securely across the country;
      • improving the security of the Government’s COVID-related applications;
      • delivering foreign intelligence reports related to the pandemic, including foreign cyber threat activity aimed at Canada’s health sector; and
      • publicly attributing Russian cyber espionage specifically targeting Canadian COVID-19 vaccine research.

      CSE’s lead national roles, mandate and authorities

      Our 21st century, high-tech mandate is firmly rooted in our history. In fact, 2021 marks three-quarters of a century as Canada’s national cryptologic agency—making and breaking codes. In modern terms, we are:

      • the national technical authority for cyber security and safeguarding Canada’s secret information through strong encryption,
      • the national authority for foreign intelligence collected through cyberspace (signals intelligence or SIGINT), and
      • Canada’s hub for national cyber capabilities and operations.

      CSE’s expertise has evolved over the past eight decades in lock step with technology’s advance. Today, we are at the cutting edge of the next generation of communications and digital technologies, like quantum computing and artificial intelligence. The Government has recognized the value of CSE’s technical and operational expertise in Canada’s future through new resourcing and by providing robust and up-to-date authorities, enshrined in new legislation, the CSE Act (2019).

      As the national technical lead for cyber security, we are the home of the Canadian Centre for Cyber Security (CCCS) which includes the National CSIRT (Computer Security Incident Response Team) and the Government of Canada CIRT (Computer Incident Response Team). As a result, CSE’s Cyber Centre is a one-stop shop for expert advice and guidance to a range of national clients—governments, critical infrastructure, small-and-medium enterprises, academia, Canadians—on how to be more secure on-line. We believe that the “best defence is a good defence” and have been able to draw down risk by delivering internationally recognized, world-class defence of Canadian government networks, and blocking billions of malicious actions every day directed at federal systems, databases, and websites. Our cyber defence operations are complemented by programs to promote best cyber security practices (e.g. October is Cyber Security Awareness Month, and a chance for you to see CSE’s national educational campaign in surge mode), and we provide tailored advice about specific cyber threats or incidents to help protect some of the most important cyber infrastructures in Canada.

      We also have a lead national role to collect foreign intelligence to provide Canadian decision makers with an information advantage on a wide range of Government priorities. We take our foreign intelligence marching orders from Cabinet and your direction, as Minister for CSE, to ensure we are focusing our resources against the highest priorities. Today, we serve 1,450 Top Secret-cleared Government clients in 28 departments with foreign intelligence relevant to their specific mandates. For example, we support Canadian military missions abroad, providing information to enable military objectives and keep personnel safe. We provide unique insights about inter-state competition and global crises that help inform national policy development and defend Canada’s sovereignty, for example in the Arctic. And we uncover and help counter foreign-based threats—including cyber threats—to Canada.

      In 2019, Parliament gave CSE a new, explicit mandate to conduct foreign cyber operations to actively defend Canadian infrastructure and to advance Canada’s interests in international affairs, defence and security. Under these authorities, CSE takes action through cyberspace to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group. These are significant legislated authorities and important to unapologetically declare as part of Canada’s digital age toolkit. Together with GAC, we have developed a framework for assessing risk and ensuring that our operations adhere to the norms established for responsible behaviour in cyberspace. We have publicly committed to support NATO with our cyber capabilities, as appropriate, and we continue to work with Canada’s likeminded partners to promote a stable, predictable, safe and inclusive global cyberspace.

      While CSE has an explicit national lead role and expertise in cyber operations, others—including the CAF—also have legal authority to conduct certain activities in cyberspace (e.g. most obviously under the Laws of Armed Conflict). As a result, in operationalizing the new CSE Act authorities for foreign cyber operations, CSE and CAF have been working in an integrated way to ensure that CAF’s military cyber operations can benefit from CSE capabilities and expertise, while together promoting Canadian coherence and accountability in cyberspace.

      In addition to assisting CAF, we also use our expertise to assist federal Canadian law enforcement and national security partners to carry out various technical and operational aspects of their mandates. For example, this includes assisting the Canadian Security Intelligence Service (CSIS) or the Royal Canadian Mounted Police (RCMP) with our capabilities to collect and process communications, provide linguistic support, design technical solutions, or conduct on-line operations under the authority of the requesting agency.

      Checks and balances

      CSE’s mandate is carried out within a robust framework of Ministerial and management accountability. Operational authorizations and activities under CSE’s mandate are aligned with government priorities and direction, privacy protections, and are subject to restrictions, oversight and review.

      CSE is explicitly prohibited in legislation from directing foreign intelligence, cyber security, or cyber operations activities at Canadians or at any person in Canada. Our legislation also requires us to have measures in place to protect the privacy of Canadians whom we may incidentally encounter as we carry out our activities.

      In addition, many of our foreign intelligence, cyber security activities, and all our foreign cyber operations activities, may only be carried out under the authority of written Authorizations issued by you, the Minister. Before foreign intelligence and cyber security authorizations may take effect, they must be reviewed and approved by the Intelligence Commissioner, an independent official who must be a former judge. Authorizations for foreign cyber operations must be either consulted with or consented to by the Minister of Foreign Affairs. You may also issue Ministerial Directions and Ministerial Orders as further guidance or restrictions for CSE’s activities. Our legislation also requires that all our foreign intelligence activities be based on the Government’s priorities set by Cabinet.

      CSE is subject to after-the-fact review by the National Security and Intelligence Review Agency (NSIRA) and the National Security and Intelligence Committee of Parliamentarians (NSICOP). NSIRA is an independent review agency whose mandate is to scrutinize all national security and intelligence activities across the federal government. NSIRA also serves as the body for any complaints against CSE. The NSICOP is made up of members of the House of Commons and the Senate who have full security clearances. NSICOP has a broad mandate to review Canada’s national security and intelligence organizations, including CSE. These review bodies have unprecedented access to classified information, subject to specific exemptions defined in law.

      It is worth noting that CSE is no stranger to review. Since 1996, retired judges—including a Chief Justice of the Supreme Court of Canada—have served as CSE Commissioners reviewing CSE activities. This regime lasted for 23 years until NSIRA was formally established in 2019. CSE has always welcomed review of our activities and been regarded as `having a “culture of compliance” with a track record of accepting the vast majority of independent review recommendations for improvements. 

      I look forward to briefing you on our operational activities at your earliest convenience, and to discussing NSIRA and NSICOP reviews currently underway. 

      Our culture and our people

      Our people are truly our greatest strength. We have about 3,000 employees, over half of whom are engineers, computer scientists, cyber security specialists, mathematicians, cryptanalysts, linguists, physicists, and data and intelligence analysts. Our dedicated people are among the best and brightest in Canada and must pass through rigorous testing and security processes to be part of our team.

      As a modern and dynamic organization, CSE’s goal is that every employee feels —every day— like a valued, contributing member of a welcoming, respected, and high-functioning community. We have been actively working to institutionalize equity, expand diversity, and promote an inclusive community. This is not just the right thing to do. It is our mission imperative. The complex problems we face require a wide range of perspectives, skills and mindsets to tackle them. We have adopted a five-point approach to achieve this goal:

      1. Learning from mistakes of the past;
      2. Bolstering the effectiveness of our mission through engaging the full diversity of our organization;
      3. Institutionalizing diversity into our corporate practices and processes;
      4. Measuring efforts and tracking progress; and
      5. Creating positive experiences.

      Our efforts include specific initiatives to improve CSE’s ability to attract develop and retain women of diverse backgrounds in technical fields. We engage regularly with other government departments and participate in community mentorship opportunities, for example, establishing a Women in Cyber and Intelligence Committee to provide role models, mentors and coaching, and through our partnership with Hackergal, a not-for-profit organization that inspires girls across Canada to explore the opportunities in coding. With these efforts, we’re making tackling gender inequalities in STEM fields a top priority. I look forward to briefing you on our many youth outreach and engagement activities with other under-represented and equity-seeking groups.

      Over the past decade, CSE has consistently ranked as one of the best places to work in the Government. This trend was reinforced in the most recent Public Service Employee Survey where employees continued to rate CSE higher than the rest of the public service in several key areas, such as: promoting values and ethics in the workplace (19% higher than the public service), mental health services (12% higher) and resources during the COVID-19 pandemic (15% higher), and the desire to remain with the agency, even if a comparable job was available elsewhere in the federal public service (21% higher). Outside the Government, we have also been named employer of choice for young people and a best employer in the National Capital for several years running. 

      Nevertheless, as an agency we aim for continuous improvement, including putting greater emphasis on finding and retaining top talent (all the while continuing to promote diversity—and importantly neurodiversity—and inclusion within our workforce). Innovation, collaboration and agility are at the core of our organizational ethos and culture. They represent the consistent thread that runs through our history, and that is the key to our future.

      Technical talent with these attributes is in high demand. There are many areas where our expertise is “one-deep” and losing key individuals in those areas would have a disproportionate impact on our ability to deliver effectively on our mandate. We are working with GC partners on a broader effort to tackle the cyber skills shortage to ensure Canada has the workforce to meet the needs of a secure digital economy. We are developing highly innovative recruitment strategies, for example partnership with Escape Manor to create a new escape room that includes complex puzzles developed by CSE code makers and breakers to see who would serve as a competitive cyber defence employee with the agency.

      CSE’s relevance in the 21st century: our history has prepared us well for our future

      Inter-state rivalry is intensifying, as is the use of tools such as disinformation and foreign interference, cyber exploitation, and economic coercion as alternatives to traditional levers of power. Technology itself is emerging as a domain of inter-state competition and will introduce new vulnerabilities to our citizens and our businesses. Cyber security has become a “whole-of-society” concern and growing challenge.

      CSE can help you, as Minister, and the Government navigate the complex cyber and emerging technology environment and maintain an information advantage through our foreign intelligence mission. We have grown into our modern-day mandate responsibly—by demonstrating our value over many decades, by successfully conducting operations covertly and without attribution to Canada, as well as with great attention to lawfulness and privacy protections. We have focused on building trust and confidence with Canadians through new kinds and unprecedented levels of transparency. We have nurtured longstanding, valued relationships with our key allies, as well as built partnerships with the Canadian private sector and academia. Our workforce of experts, our modern and well-equipped workplace combined with recent investments and updated authorities make CSE uniquely well suited to support the Government’s broader agenda.

      Among international cyber power benchmarks, Canada rates high in areas of demonstrated strength, like our cyber defence capabilities and cyber threat intelligence capacity. However, there are also opportunities to reinforce Canada’s views on international law and Canadian priorities for cyberspace, as well as offset the cyber security skills shortage in relation to growing national demand. The upcoming reviews of both Canada’s National Cyber Security Strategy (2018) and the Canadian Centre for Cyber Security (2018) will allow us to publicly articulate the next slate of Canada’s cyber ambitions.

      I look forward to working with you, Minister Anand, to help deliver your Government’s platform commitments and priorities, and to advance the opportunities outlined at the beginning of this letter, specifically to implement new measures to enhance the resilience of Canada's critical infrastructure and economy against cyber security threats, including ransomware; define Canada’s approach to cyber operations and the responsible use of cyberspace; and further the Government’s agenda with timely, relevant and actionable foreign intelligence.

      I am keen to brief you further, at your convenience, about CSE’s important work. In the meantime, I am including a package of recent CSE publications and backgrounders for your information and remain available to answer any questions.

      Sincerely,

      Shelly Bruce

      Chief - Communications Security Establishment

    CSE at a glance

    Alternate format: CSE at a glance (PDF, 1.39 MB)

    As Minister of National Defence responsible for the Communications Security Establishment, you are accountable for our national roles in:

    Cyber security: CSE actively defends Canadian government networks, and helps protect other networks that you designate as important to the Government. CSE provides national leadership as the Canadian Centre for Cyber Security, including a role as the national Cyber Emergency Response Team (CERT).

    Foreign intelligence: CSE is the leading provider of foreign intelligence to Government clients, and the national authority for signals intelligence. Foreign intelligence activities are guided by the Cabinet-approved set of priorities.

    Foreign cyber operations: CSE has a broad mandate for foreign cyber operations in support of Canada’s international affairs, defence and security, including cyber security. CSE’s advanced technical capabilities and operational expertise are also used to support DND/CAF, CSIS and RCMP in the conduct of cyber operations under their respective mandates.

    Who we are

    Personnel

    • CSE has about 3000 employees, among the best and brightest in Canada, over half of whom are engineers, computer scientists, cyber security specialists, mathematicians, cryptanalysts, linguists, physicists, data and intelligence analysts.
    • CSE was named one of Canada’s top employers for young people from 2017 to 2021.
    • In the most recent Public Services Employee Survey results our employees ranked CSE higher than the rest of the public service in innovation (by 15 per cent), and psychologically healthy workplace (by 11 per cent).
    • With a few exceptions, CSE employees are posted in Ottawa, split between a modern, open-concept, high security, special purpose workplace, and a new facility in Vanier, which houses mainly Cyber Centre employees, allowing for greater capacity for cyber security research and engagement with the private sector.

    Budget

    • CSE’s estimates for its ‘Total Authorities’ budget in 2020-2021 is $794 million.

    What we do

    We are foreign intelligence

    • We support you and the other Cabinet Ministers by providing assistance to Canadian military missions abroad, offering insights about issues of global importance and uncovering foreign-based threats such as extremists planning to carry out attacks against Canadian interests and malicious cyber threats against Canadian networks.

    We are cyber security

    • We deliver world-class defence of Canadian government networks, routinely blocking over a billion malicious cyber attempts per day. We have the authority to use our expertise to assist Canadian critical infrastructure. We provide custom advice and guidance to a wide range of Canadians entities about specific threats, help respond to major incidents, and raise public awareness through outreach and national cyber security campaigns.

    We are trusted advisors

    • We provide technical and operational assistance to CAF/DND, CSIS and RCMP where CSE’s costly and hard-won capabilities or expertise can be employed, reducing duplication and improving cost effectiveness. All assistance is provided under the authorities of the requesting agency and subject to the same restrictions as apply to the requesting agency.
    • We support a broad range of parnters (industry, academia, provinces and territories, allies), promote cyber security and protect critical infrastructure. For example, under CSE’s Security Review Program, we work with telecommunications providers, vendors and private sector labs to help mitigate risks in designated wireless equipment and services, including Huawei.

    How we do it

    Leading-edge technological expertise

    • CSE has the largest concentration of supercomputers in Canada, and is home to the Tute Institute for Mathematics and Computing, a world-class Top Secret mathematicians and computing institute.
    • CSE is a thought leader and pathfinder in emerging digital and cyber technologies, with a research program focused on quantum cryptography; advanced analytics; maintaining covert operations; and detecting hostile state actor campaigns. CSE’s expertise is harnessed to inform Government policies on emerging technology, ranging from 5G to artificial intelligence and quantum.

    Legal authorities and capabilities

    • CSE has up-to-date legislation and operates within a robust oversight and review regime. The CSE Act will be reviewed in 2022.

    Engagement with key stakeholders

    • CSE is a trusted and contributing partner within the Five Eyes community. In return, CSE requires information, capabilities, and tradecraft that would not otherwise be available to Canadian cryptologic practitioners.
    • CSE engages with over 2000 Government of Canada clients in more than 20 departments.
    • CSE collaborates with the private sector to innovate new solutions.

• • Organizational structure

    Chief
    Shelly D. Bruce

    • Deputy Chief, Canadian Centre for Cyber Security
      Sami G. Khoury
    • Associate Deputy Chief, Canadian Centre for Cyber Security
      Rajiv Gupta
    • Deputy Chief, Enterprise Technolgies and Solutions
      Darrell Schroer
    • Deputy Chief, Corporate Services
      Gibby Armstrong
    • Deputy Chief, Authoroties, Compliance and Transparency
      Nabih Eldebs
    • Deputy Chief, Strategic Policy, Planning and Partnerships
      Wendy Hadwen
    • Assistant Deputy Minister (ADM) Senior Advisor for people, equity, diversity and inclusion
      Artur Wilczynski
    • Deputy Chief, Signals Intelligence
      Dan Rogers
    • Director General, Audit, Evaluation and Ethics
      Annie Péladeau
    • General Counsel & Executive Director, Legal Services
      Manon Lefebvre
    • Director General, Public Affairs and Communications Services
      Christopher Williams

• CSE annual report

• Chief Shelly Bruce’s speech for the Centre for International Governance Innovation (CIGI) as part of discussion on Enhancing Cybersecurity Readiness in an Era of Digital Disruption, May 18, 2021

Additional reference material

• The CSE Act

• • A quick guide to the CSE Act

    Alternate format: A quick guide to the CSE Act (PDF, 1.34 MB)

    Foreign intelligence (Article 16, CSE Act)

    Mandate

    • Activities must not be directed at Canadians or Persons in Canada, and must not infringe the Canadian Charter of Rights and Freedoms
    • Activities Requiring Ministerial Authorization: MA’s protect CSE where our activities would contravene any other act of Parliament (*or of any foreign state for FI, DCO, and ACO only); and/or would interfere with a reasonable expectation of privacy in relation to a Canadian or person in Canada

    Conditions

    • Activities must be reasonable, necessary, and proportionate
    • Unselected information could not be reasonably acquired by other means
    • Measures are in place to protect the privacy of Canadians or persons in Canada
    • Information identified as relating to a Canadian or a person in Canada will be used, analyzed or retained only if the information is essential to international affairs, defence and security
    • Measures to protect privacy:
    • Policies, training, retention, suppression, management approvals, ACL, audit, review, DLS, D2
    • Canadian Identifying Information (CII) is only disclosed to designated people/classes of people if the disclosure is essential to international affairs, defence, security, or cyber security.
    • Information relating to Canadians or persons in Canada may be disclosed to designated people/classes of people if necessary to protect systems of importance

    Exceptions

    • Using publicly available information that has been published or broadcast for public consumption, is accessible to the public on the GII or otherwise or is available to the public on request, by subscription or by purchase (does not include information where a Canadian or person in Canada has a reasonable expectation of privacy).
    • Testing or evaluating products, software, and systems for vulnerabilities
    • Analysing information and providing advice regarding foreign investments in Canada to the Ministers of PS/ISED for the purposes of the Investment Canada Act.
    • Acquiring, using, analysing, retaining or disclosing infrastructure information for the purpose of research and development, for the purpose of testing systems or conducting cyber security and information assurance activities on the infrastructure from which the information was acquired.

    Approvals

    • Authorized by Minister of National Defence: MND must have reasonable grounds to believe that the conditions set out in law are met, including that the FI and CS activities are reasonable, necessary and proportionate and that the ACO/DCO activities are reasonable and proportionate.

    Oversight

    • Approved by Intelligence Commissioner:
    • The IC must be satisfied that the ministerial conclusions are reasonable
    • The IC approves CSE’s MAs before CSE can conduct any operations.

    Review

    • NSIRA: National Security and Intelligence Review Agency
    • Responsible for reviewing all activities of CSE, and all national security activities across the GC
    • NSIRA reviews CSE activities for compliance with the law and ministerial directions, and they review the reasonableness and necessity of CSE’s exercise of its powers
    • Investigates any complaints against CSE
    • NSICOP: National Security and Intelligence Committee of Parliamentarians
    • Reviews CSE activities related to national security or intelligence, including the measures it has in place to protect the privacy of Canadians or persons in Canada

    Cyber security and information assurance (Article 17, CSE Act)

    Mandate

    • Activities must not be directed at Canadians or Persons in Canada, and must not infringe the Canadian Charter of Rights and Freedoms
    • Activities Requiring Ministerial Authorization: MA’s protect CSE where our activities would contravene any other act of Parliament (*or of any foreign state for FI, DCO, and ACO only); and/or would interfere with a reasonable expectation of privacy in relation to a Canadian or person in Canada

    Conditions

    • Activities must be reasonable, necessary and proportionate
    • Measures are in place to protect the privacy of Canadians or persons in Canada
    • Designation: MND may designate any electronic information, any information infrastructures or any class of either as being of importance to the GC
    • Information identified as relating to a Canadian or a person in Canada will be used, analyzed or retained only if the information is essential to identify, isolate, prevent or mitigate harm to systems of importance
    • Measures to protect privacy:
    • Policies, training, retention, suppression, management approvals, ACL, audit, review, DLS, D2
    • Canadian Identifying Information (CII) is only disclosed to designated people/classes of people if the disclosure is essential to international affairs, defence, security, or cyber security.
    • Information relating to Canadians or persons in Canada may be disclosed to designated people/classes of people if necessary to protect systems of importance

    Exceptions

    • Using publicly available information that has been published or broadcast for public consumption, is accessible to the public on the GII or otherwise or is available to the public on request, by subscription or by purchase (does not include information where a Canadian or person in Canada has a reasonable expectation of privacy).
    • Testing or evaluating products, software, and systems for vulnerabilities
    • Analysing information and providing advice regarding foreign investments in Canada to the Ministers of PS/ISED for the purposes of the Investment Canada Act.
    • Acquiring, using, analysing, retaining or disclosing infrastructure information for the purpose of research and development, for the purpose of testing systems or conducting cyber security and information assurance activities on the infrastructure from which the information was acquired.
    • Carrying out activities on information infrastructures to identify, isolate, prevent and/or mitigate the activity and/or impact of malicious software on the infrastructure.
    • Doing research and development and analysing information in order to provide advice and guidance on the integrity of supply chains and on the trustworthiness of e-communications, equipment and services.

    Approvals

    • Authorized by Minister of National Defence: MND must have reasonable grounds to believe that the conditions set out in law are met, including that the FI and CS activities are reasonable, necessary and proportionate and that the ACO/DCO activities are reasonable and proportionate.

    Oversight

    • Approved by Intelligence Commissioner:
    • The IC must be satisfied that the ministerial conclusions are reasonable
    • The IC approves CSE’s MAs before CSE can conduct any operations.

    Review

    • NSIRA: National Security and Intelligence Review Agency
    • Responsible for reviewing all activities of CSE, and all national security activities across the GC
    • NSIRA reviews CSE activities for compliance with the law and ministerial directions, and they review the reasonableness and necessity of CSE’s exercise of its powers
    • Investigates any complaints against CSE

    • NSICOP: National Security and Intelligence Committee of Parliamentarians
    • Reviews CSE activities related to national security or intelligence, including the measures it has in place to protect the privacy of Canadians or persons in Canada

    Defensive Cyber Operations (DCO) (Article 18, CSE Act)

    Mandate

    • Activities must not be directed at Canadians or Persons in Canada, and must not infringe the Canadian Charter of Rights and Freedoms
    • Activities Requiring Ministerial Authorization: MA’s protect CSE where our activities would contravene any other act of Parliament (*or of any foreign state for FI, DCO, and ACO only); and/or would interfere with a reasonable expectation of privacy in relation to a Canadian or person in Canada

    Conditions

    • Activities must be reasonable and proportionate
    • The objective of the ACO/DCO operation could not be reasonably achieved by other means
    • Any information used to plan/conduct an ACO/DCO operation must be acquired under an FI or cyber security MA
    • CSE is strictly prohibited from:
    • Intentionally, or by criminal negligence, causing death or bodily harm;
    • Interfering with the course of justice or democracy

    Exceptions

    • Using publicly available information that has been published or broadcast for public consumption, is accessible to the public on the GII or otherwise or is available to the public on request, by subscription or by purchase (does not include information where a Canadian or person in Canada has a reasonable expectation of privacy).
    • Testing or evaluating products, software, and systems for vulnerabilities
    • Analysing information and providing advice regarding foreign investments in Canada to the Ministers of PS/ISED for the purposes of the Investment Canada Act.
    • Acquiring, using, analysing, retaining or disclosing infrastructure information for the purpose of research and development, for the purpose of testing systems or conducting cyber security and information assurance activities on the infrastructure from which the information was acquired.

    Approvals

    • Authorized by Minister of National Defence: MND must have reasonable grounds to believe that the conditions set out in law are met, including that the FI and CS activities are reasonable, necessary and proportionate and that the ACO/DCO activities are reasonable and proportionate.
    • Approved if the Minister of Foreign Affairs is consulted

    Oversight

    • N/A

    Review

    • NSIRA: National Security and Intelligence Review Agency
    • Responsible for reviewing all activities of CSE, and all national security activities across the GC
    • NSIRA reviews CSE activities for compliance with the law and ministerial directions, and they review the reasonableness and necessity of CSE’s exercise of its powers
    • Investigates any complaints against CSE

    • NSICOP: National Security and Intelligence Committee of Parliamentarians
    • Reviews CSE activities related to national security or intelligence, including the measures it has in place to protect the privacy of Canadians or persons in Canada

    Active Cyber Operations (ACO) (Article 19, CSE Act)

    Mandate

    • Activities must not be directed at Canadians or Persons in Canada, and must not infringe the Canadian Charter of Rights and Freedoms
    • Activities Requiring Ministerial Authorization: MA’s protect CSE where our activities would contravene any other act of Parliament (*or of any foreign state for FI, DCO, and ACO only); and/or would interfere with a reasonable expectation of privacy in relation to a Canadian or person in Canada

    Conditions

    • Activities must be reasonable and proportionate
    • The objective of the ACO/DCO operation could not be reasonably achieved by other means
    • Any information used to plan/conduct an ACO/DCO operation must be acquired under an FI or cyber security MA
    • CSE is strictly prohibited from:
    • Intentionally, or by criminal negligence, causing death or bodily harm;
    • Interfering with the course of justice or democracy

    Exceptions

    • Using publicly available information that has been published or broadcast for public consumption, is accessible to the public on the GII or otherwise or is available to the public on request, by subscription or by purchase (does not include information where a Canadian or person in Canada has a reasonable expectation of privacy).
    • Testing or evaluating products, software, and systems for vulnerabilities
    • Analysing information and providing advice regarding foreign investments in Canada to the Ministers of PS/ISED for the purposes of the Investment Canada Act.
    • Acquiring, using, analysing, retaining or disclosing infrastructure information for the purpose of research and development, for the purpose of testing systems or conducting cyber security and information assurance activities on the infrastructure from which the information was acquired.

    Approvals

    • Authorized by Minister of National Defence: MND must have reasonable grounds to believe that the conditions set out in law are met, including that the FI and CS activities are reasonable, necessary and proportionate and that the ACO/DCO activities are reasonable and proportionate.
    • Approved if requested, or consented to, by Minister of Foreign Affairs

    Oversight

    • N/A

    Review

    • NSIRA: National Security and Intelligence Review Agency
    • Responsible for reviewing all activities of CSE, and all national security activities across the GC
    • NSIRA reviews CSE activities for compliance with the law and ministerial directions, and they review the reasonableness and necessity of CSE’s exercise of its powers
    • Investigates any complaints against CSE

    • NSICOP: National Security and Intelligence Committee of Parliamentarians
    • Reviews CSE activities related to national security or intelligence, including the measures it has in place to protect the privacy of Canadians or persons in Canada

    Technical and operational assistance (Article 20, CSE Act)

    Mandate

    • Subject to requests from federal law enforcement and security agencies, the Canadian Armed Forces (CAF), the Department of National Defence (DND)

    Conditions

    • CSE would have the same authority to carry out an activity as the agency requesting the assistance
    • CSE would also be subject to any restrictions or conditions placed on the agency requesting that assistance, such as a warrant or applicable law
    • In addition, for assistance to DND and the CAF, CSE would:
    • Receive a written request from DND or CAF authorized by an appropriate representative
    • Comply with all instructions, parameters, and limits of the authorized CAF activity
    • Comply with all relevant Ministerial Directives issued by CSE by the MND
    • Adhere to agreement or arrangements with DND and CAF
    • Comply with all CSE policies and procedures related to the provision of assistance

    Exceptions

    • N/A

    Approvals

    • N/A

    Oversight

    • N/A

    Review

    • NSIRA: National Security and Intelligence Review Agency
    • Responsible for reviewing all activities of CSE, and all national security activities across the GC
    • NSIRA reviews CSE activities for compliance with the law and ministerial directions, and they review the reasonableness and necessity of CSE’s exercise of its powers
    • Investigates any complaints against CSE
    • NSICOP: National Security and Intelligence Committee of Parliamentarians
    • Reviews CSE activities related to national security or intelligence, including the measures it has in place to protect the privacy of Canadians or persons in Canada

• National cyber threat assessment 2020

• Cyber threats to Canada’s democratic process Report (2021 Update)