House Standing Committee on National Defence (NDDN) Binder - October 10, 2024

Table of contents

• A. Appearance details
• B. Key highlights and prep material
  • Key topics
• C. Issue notes
  • Top cybersecurity points
  • Motion of privilege: cyber attack against members of parliament
  • CSE foreign intelligence mandate
  • Cyber capabilities within DND/CAF and CSE
  • Ransomware
  • Foreign interference and the democratic process
  • CSE accountability, oversight, and review
  • Growth, recruitment, and retention at CSE
  • Defense policy update (DPU)
  • Emerging technology

Appearance details

Date: October 10, 2024
Location: TBC
Time: 8:15 am – 10:15 am

Appearing:

• The Honourable Bill Blair (first hour)
  Minister of National Defence
• Wendy Hadwen
  Deputy Chief Strategic Policy, Planning and Partnerships
  Communications Security Establishment Canada
• Stefanie Beck
  Deputy Minister, Department of National Defence
• Lieutenant-General Stephen Kelsey
  Vice Chief of the Defence Staff, Department of National Defence
  and the Canadian Armed Forces
• Nancy Tremblay
  Assistant Deputy Minister (Materiel) Department of National
  Defence

Details: Invited to discuss the Minister of National Defence’s mandate and priorities. 

Key highlights and prep material

Key topics – high-level

• CSE’s total authorities for 2023-2024 were just over $1 billion.

Recruitment and retention

• The Communications Security Establishment Canada (CSE) is an employer of choice – we are fortunate that many talented people choose to work with us. Each year CSE receives on average, 10,000 to 15,000 applications from applicants with diverse skill sets and cultural backgrounds.
• Over the past several years, CSE has experienced continued and sustained growth. We believe that this growth, combined with our comparatively low attrition rate reflects the positive work environment, employee development and support programs we have in place.
• CSE has also been recognized as a Top Employer in 2020, 2021, 2022, 2023, and 2024 as well as one of Canada’s Top Employer for Youth for the past 8 years in a row.
• CSE has a very low attrition rate, but we do have employees who choose to pursue opportunities outside the CSE. No organization has a zero percent attrition rate, nor would they want it. We value the contribution of all employees; no matter how long they stay with us.
• CSE employees are amongst the smartest and most talented people in their fields. Their unique skillsets are in high demand and there are opportunities for them outside of CSE.
• There was a slight rise in the number of employees leaving during and post-pandemic, but our overall numbers are still very low.

Facts

• Since 2014, CSE and the Government of Canada have officially attributed 13 cyber incidents to nation-state and state-affiliated actors.
• CSE’s workforce is 3,529 full-time, permanent employees [CSE annual report 2023-2024].

Budget reductions

• CSE will contribute $20.0M ongoing by FY2026-27 to TBS’ budget reduction effort.
• Reductions will be achieved through efficiencies in operating and salary expenditures without affecting operational priorities.
• CSE has examined the years ahead and has developed a strategy to meet the spending reductions outlined by TBS.
• CSE is committed to meeting spending reductions while still delivering its mission. CSE is carefully analyzing the areas that could be reduced with the least operational impact.

Contracting

• CSE does not publicly disclose information pertaining to contracts with vendors for National Security reasons. Furthermore, we do not disclose detailed information about our workforce.
• The information would provide hostile actors with insights that could be used to compromise CSE operations and defences.
• That said:
  • CSE is an organization largely made up of IT experts which reduces our need for contracted resources.
  • CSE employees have an obligation under the Ethics Charter to declare any conflicts of interest.
  • We have a robust internal regime for the disclosure, prevention and management of any situation that would give rise to concerns related to conflicts of interest.
  • CSE has a Contract Review Committee and constantly reinforces its contracting processes based on guidance provided by PSPC, the OAG and Central Agencies.

Cyber defence

• The Government of Canada deals with ongoing and persistent cyber risks and threats every day. These threats are real, they are sophisticated, and they continue to evolve.
• CSE is always monitoring for cyber threats and as the threat landscape changes, and will continue to assess its requirements.
• Although CSE generally does not comment on cyber incidents, I can assure the committee members that we are working with our federal partners, including smaller departments and agencies, to make them aware of the threats and remind them of cyber security best practices.
• The government has systems and tools in place to monitor threats, and CSE continues to use all the resources at its disposal to protect the GC from these evolving threats.
• For example, CSE’s Cyber Centre uses sensors, which are software tools installed in partner IT systems, to detect malicious cyber activity on government networks, systems, and cloud infrastructure.
  • Last year, our automated defences protected the Government of Canada from 2.3 trillion malicious actions, an average of 6 billion a day.
• CSE works with departments including SSC, TBS, Public Safety, the RCMP, CSIS, and the Department of National Defence (DND) on a number of cyber security issues.
• Cyber defence is the responsibility of all GC departments and agencies. We continue to work together to ensure we can detect and investigate potential threats, and take active measures as required.

Issue notes

Top cybersecurity points

• Cyber security is a foundation for Canada’s future, for our digital economy, our personal safety, and national prosperity and competitiveness.
• Every day, the Communications Security Establishment Canada (CSE) uses its sophisticated cyber and technical expertise to help monitor, detect, and investigate threats against Canada’s information systems and networks, and to take active measures to address them.
• CSE’s Canadian Centre for Cyber Security (Cyber Centre) is Canada’s technical and operational authority on cyber security. As part of CSE, it provides leading-edge advice and services to help prevent cyber incidents and keep critical services up and running, including by using sensors to detect malicious cyber activity at the host, cloud, and network levels.
• The Cyber Centre’s mandate covers federal institutions and systems of importance, which include critical infrastructure. Under the CSE Act, the Cyber Centre can also assist any other entity designated by the Minister of National Defence as being of importance to the Government of Canada. Examples last year include providing cyber defence services to the territories and cyber security assistance to Ukraine and Latvia.
• Recent and ongoing geopolitical events and incidents of cybercrime have elevated the potential risk of cyber threats. CSE continues to publish advice and guidance to help all sectors protect themselves from cyber threats. It works with industry partners, including government and non-government partners, to share threat information and cyber security best practices.
• If Canadian companies have been impacted by cyber threats, they are urged to contact the Cyber Centre toll free at 1-833-CYBER-88, by email contact@cyber.gc.ca or visit Cyber.gc.ca.
• Bill C-26 (An Act Respecting Cyber Security), currently before the Senate, is a critical next step that provides the government with new tools and authorities to better bolster defences, improve security across critical federally regulated industry sectors, and protect Canadians and Canada’s critical infrastructure from cyber threats.
• Cyber security matters to all of us, and the federal government works together with other jurisdictions, organizations, and critical infrastructure network defenders to raise Canada’s cyber security bar.
• If Canadian companies have been impacted by cyber threats, I urge them to contact the Cyber Centre toll free at 1-833-CYBER-88, by email at contact@cyber.gc.ca or report an incident through the Cyber.gc.ca website

Background

• CSE utilizes its mandate to reduce the impact of cybercrime on Canadian businesses, organizations, and individuals.
• Ongoing efforts include:
  • collecting intelligence on cybercrime groups
  • enhancing cyber defences to protect critical systems against cybercrime threats
  • advising Canadian critical infrastructure providers on how to protect themselves against cybercrime; and
  • using active cyber operations capabilities (ACO) to disrupt the activities of cybercrime groups.
• In addition, working with Canadian and allied partners, CSE has conducted ACO to reduce the ability of cybercrime groups to:
  • target Canadians, Canadian businesses and institutions
  • launch ransomware attacks
  • solicit, buy and sell cybercrime goods and services
• These operations-imposed costs on cybercrime groups by making their activities more difficult and less profitable. The aim is to deter future cybercrime attempts on Canadian targets.

Motion of privilege: cyber attack against members of parliament

• The Government of Canada takes its responsibility very seriously to safeguard Canada’s democratic institutions.
• Pursuant to the CSE Act, the Communications Security Establishment Canada (CSE) and its Canadian Centre for Cyber Security (Cyber Centre) share intelligence and information with government clients, including appropriate authorities in Parliament.
• The House of Commons and Senate are independent, and their officials are responsible for determining when and how to directly engage with MPs and Senators in situations like this.
• CSE continues to monitor GC networks and systems of importance for cyber threats. They are working in close coordination with government partners, including relevant security agencies.
• CSE has been fully transparent on this matter and is adhering to the motion passed at the Committee on Procedure and House Affairs (PROC) which includes appearances and the production of papers. CSE understands the importance of this motion and is working diligently to comply with the Committee’s motion.
• Chronology of Events | Email tracking link campaign targeting Canadian parliamentarians. In this specific case, CSE and other security agencies received the report from the FBI in June 2022.
• CSE immediately shared the information, including the names of the targeted parliamentarians, with the House of Commons.
• This was specific, actionable technical information on this threat, shared with House of Commons IT officials.
• This is the normal process with other Government of Canada partners when threats are detected.
• CSE’s engagement with the House of Commons started well before receiving the FBI report in question, as they had been tracking and helping them to take quick and appropriate measures within their systems to protect their network and users against this, and other threats.
• It’s important to add that, though it may not always be public, CSE has and will continue to take a range of measures to protect MPs and Senators, including remaining in regular contact with the House of Commons officials.

Background

How CSE protects the democratic process:

• CSE helps to protect Canada’s democratic process by:
  • providing foreign signals intelligence to Government of Canada decision makers about the intentions, capabilities, and activities of foreign-based threat actors
  • defending Canada’s federal elections infrastructure from malicious cyber activity
  • proactively helping democratic institutions improve their cyber security
  • sharing unclassified threat assessments with the public
  • sharing information to help Canadians identify disinformation
• To support Parliamentarians, the Cyber Centre, part of CSE provides a 24/7 hotline service offering direct support in the event of a cyber incident. The Cyber Centre has provided cyber threat briefings to political parties as well as a dedicated point of contact at the Cyber Centre for assistance with cyber security matters.
• In the run-up to both the 2019 and 2021 federal elections, the Minister of National Defence authorized CSE to conduct defensive cyber operations (DCO) to protect Canada’s election infrastructure from malicious cyber activity if needed. In the event, no activities took place that would have required a DCO response.
• CSE’s Canadian Centre for Cyber Security works closely with Elections Canada, elections authorities and political parties on cyber security preparedness. This includes offering briefings, training resources, consultations, tailored advice and cyber security services.
• The Cyber Centre has an ongoing relationship with Elections Canada, which includes:
  • monitoring services to detect cyber threats
  • working with them to secure their computer networks
  • incident response assistance, if necessary
• Provincial and territorial elections authorities can take advantage of services the Cyber Centre provides to critical infrastructure partners, such as:
  • cyber alerts (including mitigation steps)
  • malware analysis
  • cyber incident advice and support
• In the event a federal election is called, the Cyber Centre is ready to stand up a dedicated hotline for federal political parties offering 24/7 cyber security technical support. (Outside of election periods, the Cyber Centre has a dedicated point of contact political parties can reach out to on cyber security matters.) Elections Canada will be able to rely on existing channels of communication with the Cyber Centre’s democratic institutions team.

State-sponsored Actors Targeting Parliamentarians (APT31)

• 19 Canadian members of the Inter-Parliamentary Alliance on China (IPAC) were notified by the Executive Director in April 2024 they were targeted by a Chinese state-sponsored cyber actor. This was information was based on an FBI report that assessed IPAC members were targeted by Advanced Persistent Threat actor (APT) 31.
• The FBI report was received by Canada’s security agencies, and the information that included the names of the targeted parliamentarians was shared in 2022.
• CSE shared specific, actionable technical information on this threat with House of Commons (HoC) officials, as would be our normal process with other Government of Canada partners when threats are detected.
• This engagement with the HoC started well before receiving the FBI report in question, as we had been tracking and helping them to take quick and appropriate measures within their systems to protect their network and users against this, and other threats. Questions related to how MPs are engaged on situations like this would be best addressed by HoC officials.

CSE foreign intelligence mandate

• The Communications Security Establishment Canada (CSE) is the national signals intelligence agency for foreign intelligence and the technical authority for cyber security and information assurance.
• The Communications Security Establishment Act (the CSE Act) sets out five aspects of our mandate: cyber security and information assurance; foreign intelligence; defensive cyber operations; active cyber operations; and technical and operation assistance.
• CSE collects foreign signals intelligence (or SIGINT) to provide the Government of Canada with information about foreign-based threats.
  • SIGINT can include any kind of electronic communication, from text messages to satellite signals.
• CSE’s foreign signals intelligence program provides Canada’s senior decision-makers with insights into the activities, motivations, capabilities, and intentions of foreign adversaries, and the international readiness and foreign reactions to a variety of diverse global events.
• This year, CSE provided foreign intelligence reports in response to Government of Canada priorities including hostile state activity; terrorism and violent extremism; cybercrime; Russia’s Invasion of Ukraine and the Israel-Hamas War.
• In April 2024, the Government announced its Defence Policy Update (DPU) which includes a commitment of $917 million over five years to support Canada’s Foreign Cyber Operations Program and increase foreign intelligence collection capabilities and a total commitment of $2.83 billion over 20 years.
• It’s important to note that under the CSE Act, CSE’s foreign intelligence collection activities must not target Canadians or anyone in Canada.

Quick facts

• CSE foreign intelligence reporting in 2023 to 2024:
  • 3,142 reports (up from 3,007)
  • 2,137 clients (up from 1,774)
  • 28 Government of Canada departments and agencies (up from 27)

Cyber capabilities within DND/CAF and CSE

• Potential adversaries are leveraging and developing cyber capabilities to exploit vulnerabilities in our cyber systems.
• The Communications Security Establishment Canada (CSE) employs sophisticated cyber tools and technical expertise to help identify, prepare for, and defend against cyber threats, as well as to impose costs on malign actors that seek to harm Canada’s information systems, networks, businesses, and institutions.
• CSE’s Canadian Centre for Cyber Security (the Cyber Centre) is Canada’s authority on cyber security. As a unified source of expert advice and guidance, CSE’s Cyber Centre leads the Government’s operational response to cyber incidents. The Cyber Centre also collaborates with the rest of government, the private sector and academia to strengthen Canada’s cyber resilience.
• Cyber operations capabilities are also a key element of military and state power, needed to deter and defeat external threats to Canada in times of peace and conflict.
• CSE and the Canadian Armed Forces (CAF) continue to work with domestic and international partners to support and build a stable cyberspace built on the respect for international law and the norms of responsible state behaviour in cyberspace.
  • Accordingly, CSE conducts joint cyber operations with the CAF to support mission objectives. Cyber operations capabilities are a key element of military and state power, needed to deter and defeat foreign-based threats to Canada in times of peace and conflict.
• The CAF contributes to international peace and security through cyber threat intelligence sharing with Allies and partners, and through the conduct of full spectrum cyber operations as authorized by the Government of Canada.
• Specifically, the CAF relies on the force multiplier effects of technology enabled communications, intelligence, and weapon systems, all of which must be secured and defended from cyber threats.
• Canada’s updated Defence Policy: Our North, Strong and Free announced commitments to improve the Canadian Armed Forces’ ability to conduct cyber operations.
• This includes establishing a Canadian Armed Forces Cyber Command, and a joint Canadian operations capability between CSE and the CAF.
• Strengthening the Canadian Armed Forces’ cyber resilience through the Cyber Mission Assurance Program, in partnership with CSE, the CAF will also establish a cyber security certification program to protect defence supply chains from cyber threats.

Quick facts

The CSE Act sets out five aspects of CSE’s mandate, which contributes to the lines of operations above. This includes:

• Cybersecurity and information assurance
• Foreign intelligence
• Defensive cyber operations
• Active cyber operations; and
• Technical and operational assistance

CSE may use defensive cyber operations to defend Canada against foreign cyber threats by taking online action. For example, CSE could prevent cyber criminals from stealing information from a Government of Canada network by disabling their foreign server. This authority can also be used to defend systems designated by the Minister of National Defence as being of importance to the Government of Canada, such as energy grids, telecommunications networks, healthcare databases, banking systems, and elections infrastructure.

Active cyber operations allow CSE to take online action to disrupt the capabilities of foreign threats to Canada, such as: foreign terrorist groups, foreign cyber criminals, hostile intelligence agencies, and state-sponsored hackers. Threats that CSE disrupts must relate to international affairs, defence or security.

CSE, supported by Global Affairs Canada and the CAF, has a proven track record that respects and reinforces Canada’s statement on international law and cyber norms.

CSE’s Canadian Centre for Cyber Security (the Cyber Centre) reminds the Canadian cybersecurity community, especially infrastructure network defenders, to be vigilant against sophisticated cyber threats.

Canadian Armed Forces cyber capabilities:

• Defensive cyber operations are employed to respond and/or counter a threat by an adversary in cyberspace, whereas offensive cyber operations are conducted to project power in, or through, cyberspace to achieve effects in support of military objectives.
• CSE and the CAF continue to develop and scale offensive and defensive cyber operations capabilities. This partnership enables Cyber operations and provides the Government of Canada flexibility in achieving strategic objectives.
• The Canadian Armed Forces holds the responsibility of safeguarding its military networks on a continuous basis, and actively cooperates with CSE and international partners to help protect joint critical networks among Allies and within NATO.

Background

CSE and its Canadian Centre for Cyber Security

• Cyber security is a foundation for Canada’s future, for our digital economy, our personal safety, and national prosperity and competitiveness.
• Every day, the Communications Security Establishment (CSE) uses its sophisticated cyber and technical expertise to help monitor, detect, and investigate threats against Canada’s information systems and networks, and to take active measures to address them.
• Recent geopolitical events have elevated the potential risk of cyber threats, as outlined in the 2023-2024 National Cyber Threat Assessment.
• CSE continues to publish advice and guidance to help organizations be less vulnerable and more secure. It works with industry partners, including government and non-government partners, to share threat information and cyber security best practices.
• Cyber security is a whole-of-society concern, and the federal government works together with other jurisdictions, organizations, as well as critical infrastructure network defenders to raise Canada’s cyber security bar.
• If Canadian companies have been impacted by cyber threats, they are urged to contact the Cyber Centre toll free at 1-833-CYBER-88, by email contact@cyber.gc.ca or visit Cyber.gc.ca.

Canadian Armed Forces and the Communications Security Establishment Cooperation

• The Canadian Armed Forces and CSE have a long history of partnership in the development of highly technical and specialized capabilities that support Canadian Armed Forces operations.
• These activities are subject to CSE’s rigorous system of internal policies and procedures as well as independent oversight and review.
• Cooperation between the Canadian Armed Forces and CSE ensures the best use of tools and capabilities, reduces unnecessary duplication of efforts, leverages each other’s authorities, and improves the chances of meeting mission objectives.

Authorizations and safeguards

• Cyber operations undertaken in support of government objectives will be pursuant to the CSE Act, and the Crown Prerogative and the National Defence Act, and will be consistent with Canada’s international legal obligations.
• CSE is prohibited by law from targeting the private information of Canadians or any person in Canada and must not infringe the Canadian Charter of Rights and Freedoms.
• Cyber operations conducted under CSE authorities require the Minister of National Defence to issue a Ministerial Authorization, which requires either consultation with the Minister of Foreign Affairs (for defensive cyber operations) or at the request of or with the consent of the Minister of Foreign Affairs (for active cyber operations).
• In conducting cyber operations, Canada recognizes the importance of adhering to international law and agreed norms of responsible state behaviour in cyberspace. Canada’s authorities and governance framework to conduct cyber operations is supported by a strong independent review process, as well as internal oversight for operational compliance.
• Foreign cyber operations are further subject to proven checks and balances such as rules of engagement, targeting and collateral damage assessments.

Cyber operations

• Strong, Secure, Engaged (SSE) committed the Canadian Armed Forces to assuming a more assertive posture in the cyber domain by hardening its defences, and by conducting offensive cyber operations against potential adversaries as part of government-authorized military missions.
• The CSE Act authorizes CSE to carry out 2 different types of foreign cyber operations: active and defensive. Both types of operations involve taking action in cyberspace to disrupt foreign-based threats to Canada.
• Defensive cyber operations (DCO) can be used to help protect systems of importance and federal institutions during major cyber incidents when cyber security measures alone are not enough.
• Active cyber operations (ACO) can be used proactively to disrupt foreign-based threats to Canada’s international affairs, defence or security interests.

Canadian Armed Forces cyber operator

• SSE directed the creation of the Canadian Armed Forces Cyber Operator occupation. This trade includes both Reserve and Regular Force members who conduct both defensive and offensive cyber operations with the goal of supporting operational objectives and delivering tactical effects.

Cyber mission assurance program

• Strong, Secure, Engaged (SSE) directed the creation of the Cyber Mission Assurance Program. It is part of the cyber capability to protect critical military networks and equipment from cyber threats. Platforms like aircraft, ships, and vehicles are becoming increasingly dependent on cyberspace. The Cyber Mission Assurance Program ensures that cyber resilience is a primary consideration when new equipment is procured.
• Cyber threats pose unique challenges in projecting and sustaining military power. The changing global environment and the increasing dependence on cyberspace technologies demands a significant change in our culture. The introduction of cyber-resiliency mindset in all our activities is required for the CAF to maintain its competitive advantage. The Cyber Mission Assurance Program focuses on managing the risks associated with cyber threats, to improve resilience, and increase the probability of mission success.

Ransomware

• Ransomware continues to pose a threat to Canada’s national security and economic prosperity and is one of the most impactful cyber threats in Canada, benefiting significantly from the specialized cybercrime economy and the growing availability of stolen information.
• Due to its impact on an organization’s ability to function, ransomware is almost certainly the most disruptive form of cybercrime facing Canadians.
• Cybercriminals deploying ransomware have evolved in a growing and sophisticated cybercrime ecosystem and will continue to adapt to maximize profits.
• Threat actors will typically compromise a victim, encrypt their data, and demand ransom to provide a decryption key. They may also threaten to sell the stolen information on the dark web and demand further payment to prevent that posting.
• Data stolen during a ransomware attack almost certainly enables further cyber threat activity from a range of actors. Threat actors can also leverage sensitive business information to support commercial espionage.
• Ransomware can incur significant costs, disrupt the operation of important systems, damage or destroy an organization’s data, and reveal sensitive information.
• A ransomware attack can prevent access to essential services and in some cases, threaten Canadians’ physical safety and wellbeing.
• The Government of Canada is working to reduce the threat of ransomware by targeting and disrupting cybercriminals, coordinating strategies with international allies and issuing advice, guidance, and services for those affected by ransomware.
• CSE also published the 2023-2024 National Cyber Threat Assessment (NCTA) which highlights the cyber threats faced by individuals and organizations in Canada, including ransomware.
• In May 2023, the Cyber Centre launched a new pilot pre-ransomware notification initiative in the fight against ransomware.
• Since the pilot launch, the Cyber Centre has issued pre-ransomware notifications to over 250 Canadian organizations in a variety of sectors including healthcare, energy, finance, manufacturing, and education.
• Although it remains a business decision, organizations should be aware that paying a ransom funds criminal enterprise. It also enables further malicious cyber activity and ultimately there is no guarantee that cybercriminals will return stolen information.

If pressed on any specific ransomware group and/or activities:

• CSE does not comment on specific cyber security incidents; however, it continues to provide advice and guidance to Canadians and Canadian organizations, if and when requested.
• CSE’s Canadian Centre for Cyber Security continues to monitor new forms of ransomware and vulnerabilities, and shares tips and threat information with partners across Canada to help mitigate risks.
• I encourage all victims to report cybercrime activities to local law enforcement and the RCMP. I also encourage victims to report a cyber incident to CSE’s Canadian Centre for Cyber Security (Cyber Centre) toll free at 1-833-CYBER-88, by email at contact@cyber.gc.ca or report an incident through the Cyber.gc.ca website

Quick facts

• Malicious cyber activity poses an ongoing threat to Canada’s federal institutions and critical infrastructure. This includes criminal activity such as ransomware attacks, and state-sponsored activity for strategic gain. The Cyber Centre’s automated defences protect the Government of Canada from over 6 billion malicious actions a day. These include attempts to map systems and networks, to extract information or to deploy malware.
• As outlined in the 2023-24 NCTA, Cybercrime is the cyber threat Canadians are most likely to face.

Background

• Cybercrime is big business for cybercriminal organizations and has major impacts on Canada’s economic security.
• In the Cyber Centre’s National Cyber Threat Assessment (NCTA) 2023-24 unclassified threat report, they outlined how cybercrime continues to be cyber threat activity most likely to affect Canadians and Canadian organizations.
• CSE and the Cyber Centre uses the breadth of its mandate to reduce the impact of cybercrime on Canadian businesses, organizations and individuals. Ongoing efforts include:
  • collecting intelligence on cybercrime groups
  • enhancing cyber defences to protect critical systems against cybercrime threats
  • advising Canadian critical infrastructure providers on how to protect themselves against cybercrime; and
  • using our active cyber operations capabilities (ACO) to disrupt the activities of cybercrime groups
• For example, under these authorities, CSE has launched an enduring campaign to disrupt foreign cybercriminals who threaten Canadian and allied systems with ransomware attacks. These systems include health care providers and other critical infrastructure owners.
• Under this campaign, CSE has executed dozens of operations that have disrupted the foreign infrastructure used by these groups. These operations have allowed the Cyber Centre and other cyber defenders to work with these system owners to prevent them from becoming victims of ransomware attacks.
• In addition, working with Canadian and allied partners, CSE has conducted ACO to reduce the ability of cybercrime groups to:
  • target Canadians, Canadian businesses and institutions
  • launch ransomware attacks; and
  • solicit, buy and sell cybercrime goods and services including:
    • Canadian personal information
    • Canadian proprietary information
    • Malware
• These operations imposed costs on cybercrime groups by making their activities more difficult and less profitable. The aim is to deter future cybercrime attempts on Canadian targets.

Foreign interference and the democratic process

• The Government of Canada takes seriously its responsibility to protect Canadians from foreign interference, regardless of the source.
• Pursuant to the CSE Act, the Communications Security Establishment Canada (CSE) and its Canadian Centre for Cyber Security (Cyber Centre) share intelligence and information with government clients, including appropriate authorities in Parliament.
• The House of Commons and Senate are independent, and its officials are responsible for determining when and how to directly engage with MPs and Senators.
• CSE continues to monitor GC networks and systems of importance for cyber threats. They are working in close coordination with government partners, including relevant security agencies.
• CSE helps to protect Canada’s democratic process by:
  • providing foreign signals intelligence to Government of Canada decision makers about the intentions, capabilities, and activities of foreign-based threat actors;
  • defending Canada’s federal elections infrastructure from malicious cyber activity;
  • proactively helping democratic institutions improve their cyber security;
  • sharing unclassified threat assessments with the public; and,
  • sharing information to help Canadians identify disinformation.
• To support Parliamentarians, the Cyber Centre, part of CSE, provides a 24/7 hotline service offering direct support in the event of a cyber incident. The Cyber Centre has provided cyber threat briefings to political parties as well as a dedicated point of contact at the Cyber Centre for assistance with cyber security matters.
• In the run-up to both the 2019 and 2021 federal elections, the Minister of National Defence authorized CSE to conduct defensive cyber operations (DCO) to protect Canada’s election infrastructure from malicious cyber activity if needed. In the event, no activities took place that would have required a DCO response.
• CSE’s Canadian Centre for Cyber Security works closely with Elections Canada, elections authorities and political parties on cyber security preparedness. This includes offering briefings, training resources, consultations, tailored advice and cyber security services.
• The Cyber Centre has an ongoing relationship with Elections Canada, which includes:
  • monitoring services to detect cyber threats;
  • working with them to secure their computer networks; and,
  • incident response assistance, if necessary.
• Provincial and territorial elections authorities can take advantage of services the Cyber Centre provides to critical infrastructure partners, such as:
  • cyber alerts (including mitigation steps);
  • malware analysis; and,
  • cyber incident advice and support.

Background

Communications Security Establishment Canada:

• The Communications Security Establishment Canada (CSE) is Canada’s centre of excellence for cyber operations. As one of Canada’s key security and intelligence organizations, CSE protects the computer networks and information of greatest importance to Canada and collects foreign signals intelligence.
• CSE also provides assistance to federal law enforcement and security organizations in their legally authorized activities, when they may need CSE’s unique technical capabilities.

State-sponsored actors targeting parliamentarians (APT31):

• 18 Canadian members of the Inter-Parliamentary Alliance on China (IPAC) were notified by the Executive Director in April 2024 they were targeted by a Chinese state-sponsored cyber actor. This was information was based on a FBI report that assessed IPAC members were targeted by Advanced Persistent Threat actor (APT) 31.
• The FBI report was received by Canada’s security agencies, and the information that included the names of the targeted parliamentarians was shared in 2022.
• CSE shared specific, actionable technical information on this threat with House of Commons (HoC) officials, as would be our normal process with other Government of Canada partners when threats are detected.
• This engagement with the HoC started well before receiving the FBI report in question, as we had been tracking and helping them to take quick and appropriate measures within their systems to protect their network and users against this, and other threats. Questions related to how MPs are engaged on situations like this would be best addressed by HoC officials.

Threats to democratic process report (TDP 4):

• On December 6, 2023, CSE published the fourth iteration of Cyber Threats to Canada’s Democratic Process (TDP4) and provides an update to the 2017, 2019 and 2021 reports released by CSE. Its purpose is to inform Canadians about the cyber threats to our democratic process in 2023.

Key findings

• This assessment considers cyber threat activity and cyber-enabled influence campaigns, which use hacking and/or generative AI to influence opinions and behaviours.
• The worldwide proportion of elections targeted by cyber threat activity increased from 23% in 2021 to 26% in 2022.
• In 2022, 85% of cyber threat activity targeting elections was unattributed, meaning it could not be credited to a particular state sponsored actor.
• In 2022, cyber threat activity aimed at influencing voters was 7 times more common than activity targeting election infrastructure.

The Canadian Centre for Cyber Security:

• As part of the Communications Security Establishment Canada (CSE), the Canadian Centre for Cyber Security (Cyber Centre) brings over 70 years of experience protecting Canada’s most sensitive information and networks. Bringing together operational security experts from across the Government of Canada, the Cyber Centre is the Government of Canada’s authority on cyber security.
• Defending the Government of Canada’s information systems provides the Cyber Centre with a unique perspective to observe and analyze trends in the cyber threat environment.
• The Cyber Centre works closely with other government agencies, industry partners, and with the public to share knowledge and experience to improve cyber security for Canadians and to make Canada more resilient against cyber threats.

CSE accountability, oversight, and review

• The Communications Security Establishment Canada’s (CSE) mandate is defined in the CSE Act, with clear limits to protect Canadian privacy. CSE monitors its activities internally, while external bodies oversee and review its activities on behalf of Canadians to ensure they comply with the law. CSE is committed to being as open and transparent as possible, while still protecting classified information.
• CSE is subject to ongoing review by two independent external review bodies that play an integral role in enhancing accountability and transparency:
  • the National Security and Intelligence Review Agency (NSIRA); and
  • the National Security and Intelligence Committee of Parliamentarians (NSICOP).
• Based on their distinct mandates, both NSIRA and NSICOP are responsible for reviewing Government of Canada national security and intelligence activities. Whereas NSIRA consists of Governor-in-Council appointees, NSICOP consists of members of Parliament and Senate.
• Through their public reports, NSIRA and NSICOP increase transparency for Canadians on the activities of the security and intelligence community and help ensure CSE and other members of the community are held accountable for their national security and intelligence activities.
• CSE actively supports external reviews by briefing review staff, answering questions, and providing access to classified and unclassified materials. In addition to NSIRA and NSICOP, the Intelligence Commissioner (IC) provides oversight by approving authorizations for certain CSE and CSIS activities prior to their execution.
• Similar to review bodies, the IC prepares annual public reports that allow Canadians to have a better understanding of the activities CSE and CSIS undertake.
• CSE values independent, external review and oversight of its activities, and remains committed to cooperating with these important institutions.
• CSE also maintains an internal compliance program to ensure that CSE operations conform to the law and CSE policies, including protecting the privacy of Canadians and people in Canada.
• Beyond reviews, CSE and its Canadian Centre for Cyber Security (Cyber Centre) publish numerous publications on their websites to promote transparency and share information with Canadians.
  • Key publications include CSE's Annual Report, the National Cyber Threat Assessment (NCTA), Threats to Democratic Processes Report (TDP), as well as various cyber threat alerts.
• CSE also actively promoted transparency through its parliamentary appearances, media interviews, Access to Information responses, proactive disclosures, responses to Order Paper Questions, social media posts, and active participation in public events, such as conferences.
• CSE remains active in its commitment to being as open and transparent as possible, while still taking appropriate measures to protect the integrity of its operations.

Background

Quick Facts

This year, CSE’s internal compliance team conducted:

• compliance training
• annual compliance knowledge accreditation
• compliance incident handling
• compliance assessments of operational activities
• compliance outreach and education

In the 2024 Authorization cycle, CSE submitted a total of 6 Ministerial Authorizations to the Intelligence Commissioner (IC):

• 3 Foreign Intelligence Authorizations
• 3 Cybersecurity Authorizations

The IC fully approved 5 of the 6 Authorizations. The IC partially approved 1 Authorization, for foreign intelligence activities. The partially approved authorization included proposed enabling activities under a basket clause drawn from the CSE Act. The IC concluded that CSE had not provided sufficient details to approve the proposed activities.

CSE External Review statistics in FY 2023-24:

• contributed to 25^{Footnote 1} external reviews
• gave 31 briefings to review bodies
• answered 317 questions
• answered 96% of questions by the requested due date, a significant increase from last year.
• Of the 256 external reviews CSE supported this fiscal year, 3 were reviews into foreign interference in Canada’s federal elections. These reviews were conducted by NSIRA, NSICOP, and the Independent Special Rapporteur (ISR).

In addition to the foreign interference reviews notes above, the Foreign Interference Commission was appointed in September 2023 to conduct a Public Inquiry into Foreign Interference in Federal Electoral Processes and Democratic Institutions (PIFI). CSE supports the Government of Canada's response to PIFI through document production, witness testimony and affidavits, and redaction or sanitization of information for release to the public.

This year, CSE’s transparency activities included:

• 110 Order Paper question responses
• 5,580 social media posts
• speeches, conferences and public events
• 6 parliamentary appearances
• 4 public reports
• 55 media interviews
• 4 news conferences
• 52 Open Government releases
• 33^{Footnote 2}Access to Information responses
• 12 proactive disclosures

National Security and Intelligence Review Agency Annual Report (2022)

• NSIRA reviews CSE’s activities for lawfulness and to ensure that the activities are reasonable, necessary, and compliant with ministerial direction. NSIRA also serves as the body for any complaints against CSE.
• In its 2022 report, NSIRA completed two dedicated reviews of CSE, and commenced an annual review of CSE’s activities. This included:
  • a review of CSE’s active and defensive cyber operations (ACO/DCO), which is a continuation of NSIRA’s 021 review of the governance of ACO /DCO by CSE and Global Affairs Canada.
  • a review of a sensitive CSE foreign intelligence collection program, which assisted NSIRA in better informing the Minister of National Defence about CSE’s activities; and
  • an annual review of CSE activities similar to that for CSIS, begun for the first time in 2022 and that informed, in part, NSIRA’s 2022 annual report to the Minister of National Defence.

Overall, NSIRA found that ACOs and DCOs that CSE planned or conducted during the period of review were lawful and noted improvements in GAC’s assessments for foreign policy risk and international law. NSIRA further observed that CSE developed and improved its processes for the planning and conduct of ACOs and DCOs in a way that reflected some of NSIRA’s observations from the governance.

Growth, recruitment, and retention

• Over the years, CSE has experienced continued and sustained growth that has enabled the agency to adapt and address the growing cybersecurity landscape.
• No other governmental agency within Canada is undertaking the crucial cyber security work done at CSE. In fact, only a few other jurisdictions around the world have similar operations thereby positioning Canada’s cryptological agency at the forefront of cyber operations and defence.
• There is, however, a global shortage of skilled cyber professionals. Tackling this problem requires collaboration between government, industry, and academia. As Canada’s national centre for cyber expertise, the Canadian Centre for Cyber Security (the Cyber Centre) plays a coordinating role to support and guide these efforts.
• More specifically, in April 2023, in consultation with partners in industry and academia, the Cyber Centre published the Canadian Cyber Security Skills Framework. The framework highlights current gaps in Canada’s labour market and the skills needed to fill different cyber security roles.
• Recruiting skilled employees in the high-tech field remains challenging and highly competitive. At CSE, the same is true due to the specific technical knowledge required for many positions within the organization.
• Despite the highly competitive nature of recruitment, CSE has been recognized as a Top Employer in 2020, 2021, and 2022, as well as one of Canada’s Top Employers for Youth for the past eight years in a row. In addition, CSE was named one of the National Capital Region’s Top Employers for 2024. CSE and the Cyber Centre are hiring for a variety of positions including foreign language intelligence analysts, engineers, mathematicians, computer science specialists, and cyber security professionals.
• To attract top talent, over the past year, CSE’s candidate outreach team travelled across the country to participate in over 160 recruitment and networking events. Additionally, CSE leveraged specific job boards to further attract racialized and Indigenous applicants and ran 2 advertising campaigns to reach more potential candidates. Our efforts have resulted in a major increase in applications across the board, and particularly from many equity-seeking groups.
• CSE also received significant recognition through the Government’s recently announced Defence Policy Update (DPU), titled: Our North Strong and Free: A Renewed Vision for Canada’s Defence.
• The DPU proposes significant new investments in CSE, through Budget 2024, to support foreign cyber operations and enhanced foreign intelligence capabilities.
• The DPU includes a commitment of $917 million over five years to support Canada’s Foreign Cyber Operations Program, increase foreign intelligence collection capabilities, and a total commitment of $2.83 billion over 20 years.

Quick Facts

• At CSE there is a 2% retirement and 2% resignation rate for a total of 4% attrition per year.
• CSE has a relatively low attrition rate which reflects its investment in creating a healthy work environment, encouraging employee professional development, embracing diversity and inclusion as mission imperatives, and having excellent counselling and employee support programs in place.

Background

Equity, Diversity and Inclusion

• As a security and intelligence organization, promoting diversity at CSE allows the workplace to integrate broad perspectives, experiences, and worldviews into its operations. As a result, individuals can pursue CSE’s mission in a nurturing and welcoming environment.
• Working with equity-deserving groups both inside and outside of CSE on the promotion of equity, diversity and inclusion will enable CSE to evolve its processes, operations and policies in a manner that serves all Canadians effectively.
• In effort of working towards reconciliation, CSE continues to participate in the Government of Canada’s IT Apprenticeship Program for Indigenous Peoples, a program that matches First Nations, Inuit and Métis candidates to help them build the skills they need for an IT career in the federal public service.

Defence policy update

• The Government announced its Defence Policy Update (DPU), titled: Our North Strong and Free: A Renewed Vision for Canada’s Defence on April 8, 2024
• The DPU proposes significant new investments in the Communications Security Establishment Canada (CSE), through Budget 2024, to support foreign cyber operations and enhanced foreign intelligence capabilities.
• The DPU includes a commitment of $917 million over five years to support Canada’s Foreign Cyber Operations Program and increase foreign intelligence collection capabilities and a total commitment of $2.83 billion over 20 years.
• These investments will enable Canada to take actions through cyberspace to counter threats, advance foreign policy interests, and support military operations.
• With this investment, CSE will be able to:
  • Protect Canada’s sovereignty, including our Arctic and northern regions.
  • Further help protect Canadians from cyber threats, international extremism, and hostile state activity such as espionage, foreign interference, and disinformation.
  • Keep pace with technological change and maintain our skills advantage in cyberspace and ensure interoperability with our allies.
  • Protect critical infrastructure including the communications and information systems that we rely on; and
  • Contribute operational expertise to military operations and key alliances such as NATO.
• This additional investment reflects the confidence the government has in CSE because of our track record of delivering results.

Background

Foreign cyber operations (FCO)

FCO is an umbrella term for activities conducted under the CSE’s active cyber operations (ACO) mandate and defensive cyber operations (DCO) mandate – to protect the Government of Canada or systems of importance from malicious activity.

In short: we take action online to counter foreign-based threats and advance Canada’s international affairs, defence, or security interests. These are informed by both our foreign intelligence mandate and our cyber defence capabilities.

CSE has a proven track record that respects and reinforces Canada’s statement on international law and cyber norms outlined by the Minister of Foreign Affairs.

Since the CSE Act came into effect in 2019, CSE has conducted active cyber operations to:

• counter hostile state activity
• counter cybercrime
• disrupt foreign extremists
• and assist the Canadian Armed Forces

Internationally, the US, UK, and Australia have all made multi-billion-dollar investments in cyber operations. This is now an important aspect of the Five Eyes alliance and we see cyber becoming increasingly relevant to other international partnerships, many of which have domestic impacts, such as the International Counter Ransomware Initiative.

Collaboration with the Canadian Armed Forces

CSE works in close collaboration with the Canadian Armed Forces (CAF) on signals intelligence operations in support of defence intelligence requirements. CSE also provides important technical expertise to the CAF in relation to signals collection and analysis.

This partnership ensures that the CAF has improved domain awareness and force protection as it conducts its operations globally.

Increasingly cyber is becoming a key domain of conflict. This was demonstrated clearly by Russian cyber-attacks on Ukrainian military and infrastructure in the lead-up to and following Russia’s full-scale invasion of Ukraine.

As was announced on April 8, 2024, to improve the Canadian Armed Forces’ ability to conduct cyber operations, CSE will work with the CAF to stand up a joint Canadian cyber capability, as part of the CAF’s broader efforts to establish a Canadian Armed Forces Cyber Command.

Working together in this way, we will be able to integrate the unique strengths of both organizations into a unified team that will conduct active cyber operations in support of Canadian interests.

Emerging technology

• The Communications Security Establishment Canada (CSE) is a thought leader and pathfinder in emerging digital and cyber technologies. CSE’s expertise is leveraged to inform Government policies on emerging technologies, ranging from 5G to Artificial Intelligence (AI) and quantum.
• Despite emerging technologies being in varying states of development and realization, they all have implications for Canada’s economic prosperity, national security, and the individual safety and privacy of Canadians.
• While emerging technologies present great opportunities, they can also be maliciously deployed by sophisticated threat actors.
• For example, with machine learning, a rapidly developing subset of artificial intelligence, cyber threat actors can attack the models through adversarial machine learning techniques. These techniques exploit flaws in the machine learning model’s logic to deceive it or force it to return unintended, sometimes confidential, information.
  • In November 2023, the Guidelines for secure AI system development were released. CSE’s Cyber Centre worked alongside the UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and 20 international partner organizations to develop and publish this document.
• CSE continues to advocate for the digital use of online technology in a safe and secure way and have published an AI Fact Sheet to help inform Canadians generally on this evolving topic.
• Developments in quantum computing could also threaten the security of current cryptographic methods. CSE’s Cyber Centre is working with federal, commercial, academic, and international partners to develop reliable post-quantum cryptography.
• The Cyber Centre is a partner with the National Institute of Standards and Technology (NIST) in the United States. NIST recently published standards for 3 post-quantum cryptographic algorithms. These standards will enable cyber security solutions to be secure against the threat posed by quantum computers.
• Budget 2022 proposed new funding to enhance Canada’s cyber security capabilities through research investment. CSE has since been approved for $44.5 million over 9 years to fund academic research on cutting-edge technologies relevant to CSE’s activities.
• CSE’s Research Directorate includes teams of researchers in the fields of cryptography, cyber security, vulnerability research, high-performance computing, data science and artificial intelligence.
• CSE is also home to the Tutte Institute for Mathematics and Computing (TIMC), a government research institute focused on fundamental mathematics and computer science.
  • The TIMC’s key research areas are cryptography and data science.
  • While a large portion of its work is classified, when possible, results are released to the academic and open-source communities.

Background

• Technology evolves quickly. To keep up, CSE promotes a culture of constant innovation, including research and collaborative events.
• CSE has published several public reports that discuss Artificial Intelligence, including: the Threat from Large Language Model Text Generators, Adopting Artificial Intelligence with Security in Mind, and others. Additional information on CSE’s approach to AI can be found in the AI section of CSE’s annual report, as well as the Cyber Threats to Canada’s Democratic Processes 2023 publication.
• A particular focus in the 2022-23 fiscal year was the topic of foreign influence campaigns on social media. CSE researchers produced a comprehensive “problem book” outlining challenges in detecting malicious foreign influence campaigns and delivered tools to detect coordinated activity.
• Other research activities included developing data maps and conducting exploratory data analysis, engaging industry partners to develop and pilot methods for secure computation in insecure environments and conducting research to support the post-quantum cryptography standardization processes.
• CSE’s researchers working in applied research explore the current and incoming challenges the organization faces in carrying out its mission. They build solutions to enhance CSE’s capabilities. In the 2022-23 fiscal year, CSE developed the following products using data science to support the work of CSE analysts:
  • An automated translation software for mission-critical languages that’s faster and more accurate than previously available methods. It uses machine learning and was created in collaboration with partners in SIGINT.
  • A suite of image analysis services to process, enrich and search our data collection.
  • Tools to triage mission data using data science tools to analyze text and identify topics.
  • Tools that allow for foreign intelligence/SIGINT analysts to better understand and detect influence and effects.