Recommendation 1:
NSIRA recommends that Global Affairs Canada develop or otherwise leverage capability to enable it to independently assess potential risks resulting from the techniques used in CSE ACOs and DCOs.
CSE and GAC response to Recommendation 1:
CSE and GAC disagree with this recommendation.
In accordance with the CSE-GAC Governance Framework, GAC assesses CSE cyber operations for foreign policy risks and compliance with international law. CSE's internal risk assessment process assesses the cyber operation for technical risks based on the techniques used.
Just as CSE relies upon GAC to provide expertise in foreign policy and international law, GAC relies upon CSE to provide expertise on technologies and techniques at the forefront of development.
Accurate assessment of all risks from a cyber operation relies on the continuation of open and honest dialogue and trust between GAC and CSE. As such, CSE will continue to share information with GAC on techniques, whenever their use may have an impact on GAC's foreign policy risk assessment.
Recommendation 2:
NSIRA recommends that the Department of Justice be fully consulted at all stages of an ACO or DCO, particularly prior to operational execution.
CSE response to Recommendation 2:
CSE agrees with this recommendation in principle.
CSE believes that the advice and guidance provided by the Department of Justice (DOJ) representatives embedded in CSE's Directorate of Legal Services (DLS) is integral to CSE's success. CSE consults with DLS at all relevant stages of a cyber operation. As a matter of practice, CSE consults DLS throughout the Joint Planning and Authorities Framework (JPAF) process and at a key stage, and more consultation is conducted when an activity is new or novel.
Internal tools developed by DLS are used to ensure that activities do not contravene the prohibitions set out in the CSE Act and assist analysts in identifying when a higher risk necessitates further legal review. Additionally, CSE's internal operational policy team is consulted on all key stages.
Recommendation 3:
NSIRA recommends that CSE abandon the practice of generic ACO and DCO applications to the Minister of National Defence, and instead submit individual applications.
CSE and GAC response to Recommendation 3:
CSE and GAC disagree with this recommendation.
When submitting an application for these particular ACO and DCO Ministerial Authorizations (MAs), CSE and GAC always ensure that the Minister of National Defence and the Minister of foreign Affairs are provided with a sufficient amount of information to make an informed decision as to whether CSE's proposed activities are reasonable and proportionate against a specific set of objectives. To that end, these particular ACO and DCO MAs are structured around key objectives in countering a number of well-defined threats globally. In that sense, they are not "generic", but their scope is broad enough to give CSE the flexibility to act against a wide range of targets, when the identity of threat actor or the location and context is unknown at the time of application.
For any operations assessed as falling under the authority of these MAs, the current governance framework allows for appropriate risk management of operations. CSE provides GAC with detailed mission plans for each operation, which allows for a proper assessment of foreign policy risks associated with CSE's cyber operations.
Following Recommendation no. 1 from the Governance review (FCO 1), CSE and GAC increased the amount of information included in the 2021 application for this MA. The level of detail was improved further in the 2022 application. Moreover, CSE and GAC work collaboratively on any new MAs to both ensure that relevant foreign policy objectives are reflected and that authorized operations are sufficiently scoped. Whenever an activity does not fit within the category covered by these MAs, CSE will submit a new application specific to that circumstance.
Recommendation 4:
NSIRA recommends that CSE always engage with CSIS, the RCMP, and any other federal departments or agencies as to whether those departments are in a position to reasonably achieve the objective of a cyber operation.
CSE response to Recommendation 4:
CSE agrees with this recommendation.
CSE values the importance of consulting with all relevant Government of Canada stakeholders. During the planning of operations, CSE has and will continue to strengthen its collaborative relationships with its partners, including engaging with CSIS, RCMP, and other relevant federal departments or agencies whose mandates may intersect with a planned ACO or DCO.
Recommendation 5:
NSIRA recommends that the Chief's applications for active and defensive cyber operations inform the Minister of National Defence that acquisition of information under a valid foreign intelligence, cybersecurity, or emergency authorization occurs as a result of cyber operations.
CSE and GAC response to Recommendation 5:
CSE and GAC agree with this recommendation.
This recommendation has already been addressed in the applications for the 2022-23 ACO and DCO Ministerial Authorizations.
Recommendation 6:
NSIRA recommends that documentation prepared as part of the CSE's cyber operations framework provide clear links to all known applicable foreign intelligence (or cybersecurity) missions.
CSE response to Recommendation 6:
CSE agrees with this recommendation.
Since the period under review, and partially stemming from NSIRA recommendations issued in the Governance review (FCO 1), CSE has implemented this change into its cyber operations framework. Under the current framework, the documentation now includes links to s.16 or s.17 operations that are directly relevant to a s.18 or s.19 cyber operation.
Recommendation 7:
NSIRA recommends that CSE continue to refine, and to define, the distinctions between activities conducted under different aspects of its mandate, particularly between ACO and DCO activities, but also with regard to foreign intelligence and cybersecurity activities.
CSE response to Recommendation 7:
CSE agrees with this recommendation in principle.
CSE agrees with the principle of understanding the nuances of its mandate. The CSE Act (ss.15-20) expressly distinguishes between the five aspects of the mandate. Operations are planned with an understanding of the scope and boundaries of the authorizing aspect of the mandate. CSE works closely with the Directorate of Legal Services (DLS) and its Operational Policy team to ensure that operations are planned and conducted under the appropriate authorities.
In the body of its report, NSIRA acknowledges both the clarity of the Act and of CSE's ability to explain why an operation should be authorized under a particular aspect of the mandate. CSE's policies and procedures governing the planning and conduct of operations rely on the distinction between aspects of the mandate. CSE's Mission Policy Suite addresses each aspect of the mandate and provides a distinction between ACOs and DCOs. The cyber operations framework provides for planning documentation that sets out why the objectives and nature of the planned operation align with the authorities of an ACO versus a DCO, notwithstanding the techniques being applied. Finally, CSE is in the process of launching updated legal and policy training to its operational staff.