CSE’s priorities are decided by Cabinet, which is chaired by the Prime Minister.
CSE operates within a strict legal framework that is subject to independent oversight.
Our mandate and powers are set out in the Communications Security Establishment Act (the CSE Act). This legislation came into force in August 2019.
The four aspects of our mandate are:
- cyber security
- foreign intelligence
- defensive and active cyber operations
- assistance to federal partners
The CSE Act requires that our activities do not target Canadians anywhere in the world, or any person in Canada, unless there are reasons to believe that there is an imminent danger of death or serious bodily harm. The CSE Act also requires that we protect the privacy of Canadians and persons in Canada.
We are governed by all other Canadian laws, including the Canadian Charter of Rights and Freedoms, the Privacy Act, the Criminal Code, the Security of Canada Information Disclosure Act, and the Avoiding Complicity in Mistreatment by Foreign Entities Act and its directives.
The Minister of National Defence guides and authorizes our activities using the following mechanisms that establish operating parametres and expectations for CSE:
- Ministerial Directives
- Ministerial Authorizations
- Ministerial Orders
Ministerial Directives, Authorizations, and Orders are based on the Government’s intelligence priorities as set out by Cabinet through discussion and consultations with the security and intelligence community.
The Minister cannot authorize any activities that are not included in our mandate or grant CSE any powers that do not exist in Canadian law.
The Chief of CSE receives instructions from the Minister of National Defence through Ministerial Directives.
These Directives set out direction and guidance, operating parameters, or the Minister’s expectations for CSE on a range of issues.
CSE’s activities must be consistent with those Directives and must always fall within our mandate and authorities.
Ministerial Directives cannot grant CSE any power that does not already exist in Canadian law.
The Chief of CSE must seek an Authorization from the Minister of National Defence if either:
- CSE’s activity may contravene an act of Parliament, or
- CSE’s activity may interfere with a reasonable expectation of privacy
An example of this could be a cyber security operation that risks incidentally intercepting a Canadian private communication.
The Minister can only issue an Authorization if they conclude that the activities proposed are reasonable and proportionate, and that measures are in place to protect Canadian privacy.
As an added layer of independent oversight, the Intelligence Commissioner must also review and approve any Foreign Intelligence Authorizations or Cyber Security Authorizations.
CSE must consult the Minister of Foreign Affairs about Defensive Cyber Operations Authorizations. The Minister of Foreign Affairs must consent to Active Cyber Operations Authorizations.
Ministerial Authorizations can be for foreign intelligence, cyber security, or cyber operations. They are valid for up to one year.
The Minister of National Defence may use Ministerial Orders to designate people or organizations with whom CSE can work and share information.
The Minister may issue three different kinds of Ministerial Order:
- designating non-government cyber systems (like critical infrastructure) as being of importance to the Government of Canada. Once they are designated, CSE can advise and assist the owners and operators of these systems
- designating entities with whom CSE may share Canadian identifying information, if it is essential for international affairs, defence, or security
- designating entities with whom CSE may share Canadian identifying information if it is necessary to protect the information or systems of federal institutions or critical infrastructure