Cyber Threats To Canada's Democratic Process
About This Document
In response to a request from the Minister of Democratic Institutions, this report includes a threat assessment by the Communications Security Establishment (CSE) on cyber threats to Canada’s democratic process.
The goal of intelligence analysis is to provide readers with intellectually rigorous, objective, and timely products. CSE’s cyber threat assessments are based on an analysis process that includes evaluation of the quality of available information, exploration of alternative explanations, mitigation of biases, and application of probabilistic approaches.
In this assessment, we distinguish between fact, assumptions, and conclusions. We use the words “we assess” or “we judge” to convey an analytic assessment or judgement made by CSE. We also use words such as “possibly”, “likely”, and “very likely” to convey probability (see Annex A).
Many of the key judgements in this assessment rely on a body of reporting from multiple sources and are based on CSE’s knowledge and expertise in foreign intelligence and cybersecurity. However, this is an unclassified document and we cannot divulge classified intelligence, which would jeopardize sources and methods of intelligence collection. CSE cannot publicly reveal the full extent of our knowledge or the complete basis for our judgements.
This document discusses a wide range of cyber threats to Canadian political and electoral activities at the federal, provincial/territorial, and municipal levels.Endnote 3 Given the scope of the assessment, we do not look at the particular risks to and vulnerabilities of all elections, political parties and politicians, and media in Canada. Nor do we provide an exhaustive list of cyber capabilities, or the way that adversaries could deploy them, as the activities of Canada’s cyber adversaries would take chapters to catalogue.Endnote 4
As well, providing cyber threat mitigation advice is beyond the scope of this assessment. In a general sense, many of the cyber threats that we discuss throughout the assessment can be mitigated through cybersecurity (e.g. measures found in CSE’s Top 10 IT Security Actions), physical security, and business-continuity best practices.
This threat assessment is based on information available as of 7 June 2017.