Foreign Cyber Operations

On August 1, 2019 the Communications Security Establishment Act (CSE Act) came into force. The CSE web site is being updated to reflect the changes in CSE’s authorities and the accompanying accountability and transparency measures.

What is new?

Under the proposed CSE Act, CSE would be authorized to conduct both defensive cyber operations and active cyber operations.

The defensive cyber operations aspect of CSE’s mandate would allow CSE to take action on or through the global information infrastructure to help protect:

  • federal institutions' electronic information and information infrastructures; and
  • electronic information and information infrastructures designated by the Minister as being of importance to the Government of Canada.

The active cyber operations aspect of CSE’s mandate would be to carry out activities on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to Canada’s defence, security or international affairs.

What does that mean?

CSE could be authorized to proactively stop or impede foreign cyber threats before they damage Canadian systems or information holdings, and conduct online operations to advance national objectives. For example, under defensive cyber operations CSE could disable a foreign server that was attempting to steal information about Canadians from a Government of Canada network. Under active cyber operations CSE could use on-line capabilities to interfere with the ability of terrorist groups to recruit Canadians or plan attacks against Canada and its allies.

Why are new authorities needed?

With constantly evolving global technological and threat landscapes, governments are rethinking national approaches and strategies to protect their citizens from threats. CSE’s foreign cyber operations mandate will provide Canada with the cyber means to respond to serious foreign threats, international crises, or events as part of a broader strategic approach.

Defensive Cyber Operations: CSE’s defensive cyber operations mandate would protect Canada and Canadians from foreign cyber threats that may jeopardize Canadian security, economic prosperity, and rights and freedoms. CSE helps to protect important cyber networks, but does not currently have the authority to take action online outside of Government of Canada networks to deter imminent or ongoing malicious cyber threats against Canada. With new legislation and the increased accountability measures that come with it, CSE would be authorized to take action online to defend Canadian networks, owned by both the Government of Canada and the private sector, and proactively deter cyber threats before they reach our systems.

Active Cyber Operations: The proposed CSE Act would allow the government to utilize CSE’s online capabilities in support of the government’s broader strategic objectives. Within strict legal parameters and approvals at the highest level of government, CSE would be permitted to take action online to disrupt foreign threats, including activities to protect our democratic institutions, counter violent extremism and terrorist planning, or counter cyber aggression by foreign states.

Transparency and Accountability

CSE’s active cyber operations would be carefully targeted, by law, to the activities of foreign individuals, states, organizations or terrorist groups that have implications for Canada’s international affairs, defence or security. These operations would be developed as part of a broader Government of Canada strategic approach or in response to a serious crisis or threat, and would be built with Canada’s foreign policy objectives in mind.

CSE would be prohibited from directing defensive and active cyber operations activities at Canadians, any person in Canada, or the global information infrastructure in Canada. The proposed CSE Act would require that these activities be reasonable and proportional, and prohibit CSE from causing death or bodily harm, or willfully attempting to obstruct, pervert or defeat the course of justice or democracy.

These activities would only be undertaken under the authority of an active cyber authorization under a Ministerial two-key system. Ministerial Authorizations issued for active cyber operations would require the approval of the Minister of National Defence and the Minister of Foreign Affairs. Ministerial Authorizations issued for defensive cyber operations would require the approval of the Minister of National Defence and consultation with the Minister of Foreign Affairs. CSE would be required to report the outcomes of their activities to both ministers.

All activities conducted under the defensive cyber operations and active cyber operations mandate would be subject to review by the proposed National Security and Intelligence Review Agency, as well as the National Security and Intelligence Committee of Parliamentarians.