Late last month, Global News published a story on how the Canadian government is involved in providing cyber support to the Ukrainian government in the face of Russia’s illegal invasion. While the Canadian military declined to confirm or deny any activities they might be involved in, the same was not true of the Communications Security Establishment (CSE). The CSE is Canada’s foreign signals intelligence agency. In addition to collecting intelligence, it is also mandated to defend Canadian federal systems and those designated as of importance to the government of Canada, provide assistance to other federal agencies, and conduct active and defensive cyber operations.1
From the Global News article it is apparent that the CSE is involved in both foreign intelligence operations as well as undertaking cyber defensive activities. Frankly these kinds of activity are generally, and persistently, undertaken with regard to the Russian government and so it’s not a surprise that these activities continue apace.
The CSE spokesperson also noted that the government agency is involved in ‘cyber operations’ though declined to explain whether these are defensive cyber operations or active cyber operations. In the case of the former, the Minister of National Defense must consult with the Minister of Foreign Affairs before authorizing an operation, whereas in the latter both Ministers must consent to an operation prior to it taking place. Defensive and active operations can assume the same form–roughly the same activities or operations might be undertaken–but the rationale for the activity being taken may vary based on whether it is cast as defensive or active (i.e., offensive).2
These kinds of cyber operations are the ones that most worry scholars and practitioners, on the basis that there is a risk that foreign operators or adversaries may misread a signal from a cyber operation or because the operation might have unintended consequences. Thus, the risk is that the operations that the CSE is undertaking run the risk of accidentally (or intentionally, I guess) escalating affairs between Canada and the Russian Federation in the midst of the shooting war between Russian and Ukrainian forces.
While there is, of course, a need for some operational discretion on the part of the Canadian government it is also imperative that the Canadian public be sufficiently aware of the government’s activities to understand the risks (or lack thereof) which are linked to the activities that Canadian agencies are undertaking. To date, the Canadian government has not released its cyber foreign policy doctrine nor has the Canadian Armed Forces released its cyber doctrine.3 The result is that neither Canadians nor Canada’s allies or adversaries know precisely what Canada will do in the cyber domain, how Canada will react when confronted, or the precise nature of Canada’s escalatory ladder. The government’s secrecy runs the risk of putting Canadians in greater jeopardy of a response from the Russian Federation (or other adversaries) without the Canadian public really understanding what strategic or tactical activities might be undertaken on their behalf.
Canadians have a right to know at least enough about what their government is doing to be able to begin assessing the risks linked with conducting operations during an active militant conflict against an adversary with nuclear weapons. Thus far such information has not been provided. The result is that Canadians are ill-prepared to assess the risk that they may be quietly and quickly drawn into the conflict between the Russian Federation and Ukraine. Such secrecy bodes poorly for being able to hold government to account, to say nothing of preventing Canadians from appreciating the risk that they could become deeply drawn into a very hot conflict scenario.
Not for lack of trying to access them, however, as in both cases I have filed access to information requests to the government for these documents 1 years ago, with delays expected to mean I won’t get the documents before the end of 2022 at best. ↩︎
A group of former senior Canadian government officials who have been heavily involved in the intelligence community recently penned an op-ed that raised the question of “does Canada need a foreign intelligence service?” It’s a curious piece, insofar as it argues that Canada does need such a service while simultaneously discounting some of the past debates about whether this kind of a service should be established, as well as giving short shrift to Canada’s existing collection capacities that are little spoken about. They also fundamentally fail to take up what is probably the most serious issue currently plaguing Canada’s intelligence community, which is the inability to identify, hire, and retain qualified staff in existing agencies that have intelligence collection and analysis responsibilities.
The authors’ argument proceeds in a few pieces. First, it argues that Canadian decision makers don’t really possess an intelligence mindset insofar as they’re not primed to want or feel the need to use foreign intelligence collected from human sources. Second, they argue that the Canadian Security Intelligence Service (CSIS) really does already possess a limited foreign intelligence mandate (and, thus, that the Government of Canada would only be enhancing pre-existing powers instead of create new powers from nothing). Third, and the meat of the article, they suggest that Canada probably does want an agency that collects foreign intelligence using human sources to support other members of the intelligence community (e.g., the Communications Security Establishment) and likely that such powers could just be injected into CSIS itself. The article concludes with the position that Canada’s allies “have quietly grumbled from time to time that Canada is not pulling its weight” and that we can’t prioritize our own collection needs when we’re being given intelligence from our close allies per agreements we’ve established with them. This last part of the argument has a nationalistic bent to it: implicitly they’re asking whether we can really trust even our allies and closest friends? Don’t we need to create a capacity and determine where such an agency and its tasking should focus on, perhaps starting small but with the intent of it getting larger?
Past Debates and Existing Authorities
The argument as positioned fails to clearly make the case for why these expanded authorities are required and simultaneously does not account for the existing powers associated with the CSE, the Canadian military, and Global Affairs Canada.
With regards to the former, the authors state, “the arguments for and against the establishment of a new agency have never really been examined; they have only been cursorily debated from time to time within the government by different agencies, usually arguing on the basis of their own interests.” In making this argument they depend on people not remembering their history. The creation of CSIS saw a significant debate about whether to include foreign human intelligence elements and the decision by Parliamentarians–not just the executive–was to not include these elements. The question of whether to enable CSIS or another agency to collect foreign human intelligence cropped up, again, in the late 1990s and early 2000, and again around 2006-2008 or so when the Harper government proposed setting up this kind of an agency and then declined to do so. To some extent, the authors’ op-ed is keeping with the tradition of this question arising every decade or so before being quietly set to the side.
In terms of agencies’ existing authorities and capacities, the CSE is responsible for conducting signals intelligence for the Canadian government and is tasked to focus on particular kinds of information per priorities that are established by the government. Per its authorizing legislation, the CSE can also undertake certain kinds of covert operations, the details of which have been kept firmly under wraps. The Canadian military has been aggressively building up its intelligence capacities with few details leaking out, and its ability to undertake foreign intelligence using human sources as unclear as the breadth of its mandate more generally.1 Finally, GAC has long collected information abroad. While their activities are divergent from the CIA or MI6–officials at GAC aren’t planning assassinations, as an example–they do collect foreign intelligence and share it back with the rest of the Government of Canada. Further, in their increasingly distant past they stepped in for the CIA in environments the Agency was prevented from operating within, such as in Cuba.
All of this is to say that Canada periodically goes through these debates of whether it should stand up a foreign intelligence service akin to the CIA or MI6. But the benefits of such a service are often unclear, the costs prohibitive, and the actual debates about what Canada already does left by the wayside. Before anyone seriously thinks about establishing a new service, they’d be well advised to read through Carvin’s, Juneau’s, and Forcese’s book Top Secret Canada. After doing so, readers will appreciate that staffing is already a core problem facing the Canadian intelligence community and recognize that creating yet another agency will only worsen this problem. Indeed, before focusing on creating new agencies the authors of the Globe and Mail op-ed might turn their minds to how to overcome the existing staffing problems. Solving that problem might enable agencies to best use their existing authorizing legislation and mandates to get much of the human foreign intelligence that the authors are so concerned about collecting. Maybe that op-ed could be titled, “Does Canada’s Intelligence Community Really Have a Staffing Problem?”
As an example of the questionable breadth of the Canadian military’s intelligence function, when the military was tasked with assisting long-term care home during the height of the Covid-19 pandemic in Canada, they undertook surveillance of domestic activism organizations for unclear reasons and subsequently shared the end-products with the Ontario government. ↩︎
Jason Healey and Robert Jervis have a thought provoking piece over at the Modern War Institute at West Point. The crux of the argument is that, as a result of overclassification, it’s challenging if not impossible for policymakers or members of the public (to say nothing of individual analysts in the intelligence community or legislators) to truly understand the nature of contemporary cyberconflict. While there’s a great deal written about how Western organizations have been targeted by foreign operators, and how Western governments have been detrimentally affected by foreign operations, there is considerably less written about the effects of Western governments’ own operations towards foreign states because those operations are classified.
To put it another way, there’s no real way of understanding the cause and effect of operations, insofar as it’s not apparent why foreign operators are behaving as they are in what may be reaction to Western cyber operations or perceptions of Western cyber operations. The kinds of communiques provided by American intelligence officials, while somewhat helpful, also tend to obscure as much as they reveal (on good days). Healey and Jervis write:
General Nakasone and others are on solid ground when highlighting the many activities the United States does not conduct, like “stealing intellectual property” for commercial profit or disrupting the Olympic opening ceremonies. There is no moral equivalent between the most aggressive US cyber operations like Stuxnet and shutting down civilian electrical power in wintertime Ukraine or hacking a French television station and trying to pin the blame on Islamic State terrorists. But it clouds any case that the United States is the victim here to include such valid complaints alongside actions the United States does engage in, like geopolitical espionage. The concern of course is a growing positive feedback loop, with each side pursuing a more aggressive posture to impose costs after each fresh new insult by others, a posture that tempts adversaries to respond with their own, even more aggressive posture.
Making things worse, the researchers and academics who are ostensibly charged with better understanding and unpacking what Western intelligence agencies are up to sometimes decline to fulfill their mandate. The reasons are not surprising: engaging in such revelations threaten possible career prospects, endanger the very publication of the research in question, or risk cutting off access to interview subjects in the future. Healey and Jervis focus on the bizarre logics of working and researching the intelligence community in the United States, saying (with emphasis added):
Think-tank staff and academic researchers in the United States often shy away from such material (with exceptions like Ben Buchanan) so as not to hamper their chances of a future security clearance. Even as senior researchers, we were careful not to directly quote NSA’s classified assessment of Iran, but rather paraphrased a derivative article.
A student, working in the Department of Defense, was not so lucky, telling us that to get through the department’s pre-publication review, their thesis would skip US offensive operations and instead focus on defense.
Such examples highlight the distorting effects of censorship or overclassification: authors are incentivized to avoid what patrons want ignored and emphasize what patrons want highlighted or what already exists in the public domain. In paper after paper over the decades, new historical truths are cumulatively established in line with patrons’ preferences because they control the flow and release of information.
What are the implications as written by Healey and Jervis? In intelligence communities the size of the United States’, information gets lost or not passed to whomever it ideally should be presented to. Overclassification also means that policy makers and legislators who aren’t deeply ‘in the know’ will likely engage in decisions based on half-founded facts, at best. In countries such as Canada, where parliamentary committees cannot access classified information, they will almost certainly be confined to working off of rumour, academic reports, government reports that are unclassified, media accounts that divulge secrets or gossip, and the words spoken by the heads of security and intelligence agencies. None of this is ideal for controlling these powerful organizations, and the selective presentation of what Western agencies are up to actually risks compounding broader social ills.
Legislative Ignorance and Law
One of the results of overclassification is that legislators, in particular, become ill-suited to actually understanding national security legislation that is presented before them. It means that members of the intelligence and national security communities can call for powers and members of parliament are largely prevented from asking particularly insightful questions, or truly appreciate the implications of the powers that are being asked for.
Indeed, in the Canadian context it’s not uncommon for parliamentarians to have debated a national security bill in committee for months and, when asked later about elements of the bill, they admit that they never really understood it in the first place. The same is true for Ministers who have, subsequently, signed off on broad classes of operations that have been authorized by said legislation.
Part of that lack of understanding is the absence of examples of how powers have been used in the past, and how they might be used in the future; when engaging with this material entirely in the abstract, it can be tough to grasp the likely or possible implications of any legislation or authorization that is at hand. This is doubly true in situations where new legislation or Ministerial authorization will permit secretive behaviour, often using secretive technologies, to accomplish equally secretive objectives.
Beyond potentially bad legislative debates leading to poorly understood legislation being passed into law and Ministers consenting to operations they don’t understand, what else may follow from overclassification?
Nationalism, Miscalculated Responses, and Racism
To begin with, it creates a situation where ‘we’ in the West are being attacked by ‘them’ in Russia, Iran, China, North Korea, or other distant lands. I think this is problematic because it casts Western nations, and especially those in the Five Eyes, as innocent victims in the broader world of cyber conflict. Of course, individuals with expertise in this space will scoff at the idea–we all know that ‘our side’ is up to tricks and operations as well!–but for the general public or legislators, that doesn’t get communicated using similarly robust or illustrative examples. The result is that the operations of competitor nations can be cast as acts of ‘cyberwar’ without any appreciation that those actions may, in fact, be commensurate with the operations that Five Eyes nations have themselves launched. In creating an Us versus Them, and casting the Five Eyes and West more broadly as victims, a kind of nationalism can be incited where ‘They’ are threats whereas ‘We’ are innocents. In a highly complex and integrated world, these kinds of sharp and inaccurate concepts can fuel hate and socially divisive attitudes, activities, and policies.
At the same time, nations may perceive themselves to be targeted by Five Eyes nations, and deduce effects to Five Eyes operations even when that isn’t the case. When a set of perimeter logs show something strange, or when computers are affected by ransomware or wiperware, or another kind of security event takes place, these less resourced nations may simply assume that they’re being targeted by a Five Eyes operation. The result is that foreign government may both drum up nationalist concerns about ‘the West’ or ‘the Five Eyes’ while simultaneously queuing up their own operations to respond to what may, in fact, have been an activity that was totally divorced from the Five Eyes.
I also worry that the overclassification problem can lead to statements in Western media that demonizes broad swathes of the world as dangerous or bad, or threatening for reasons that are entirely unapparent because Western activities are suppressed from public commentary. Such statements arise with regular frequency, where China is attributed to this or to that, or when Russia or Middle Eastern countries are blamed for the most recent ill on the Internet.
The effect of such statements can be to incite differential degrees of racism. When mainstream newspapers, as an example, constantly beat the drum that the Chinese government (and, by extension, Chinese people) are threats to the stability and development of national economies or world stability, over time this has the effect of teaching people that China’s government and citizens alike are dangerous. Moreover, without information about Western activities, the operations conducted by foreign agencies can be read out of context with the effect that people of certain ethnicities are regarded as inherently suspicious or sneaky as compared to those (principally white) persons who occupy the West. While I would never claim that the overclassification of Western intelligence operations are the root cause of racism in societies I do believe that overclassification can fuel misinformation about the scope of geopolitics and Western intelligence gathering operations, with the consequence of facilitating certain subsequent racist attitudes.
A colleague of mine has, in the past, given presentations and taught small courses in some of Canada’s intelligence community. This colleague lacks any access to classified materials and his classes focus on how much high quality information is publicly available when you know how and where to look for it, and how to analyze it. Students are apparently regularly shocked: they have access to the classified materials, but their understandings of the given issues are routinely more myopic and less robust. However, because they have access to classified material they tend to focus as much, or more, on it because the secretive nature of the material makes it ‘special’.
This is not a unique issue and, in fact, has been raised in the academic literature. When someone has access to special or secret knowledge they are often inclined to focus in on that material, on the assumption that it will provide insights in excess of what are available in open source. Sometimes that’s true, but oftentimes less so. And this ‘less so’ becomes especially problematic when operating in an era where governments tend to classify a great deal of material simply because the default is to assume that anything could potentially be revelatory to an agency’s operations. In this kind of era, overvaluing classified materials can lead to less insightful understandings of the issues of the day while simultaneously not appreciating that much of what is classified, and thus cast as ‘special’, really doesn’t provide much of an edge when engaging in analysis.
The solution is not to declassify all materials but, instead, to adopt far more aggressive declassification processes. This could, as just an example, entail tying declassification in some way to organizations’ budgets, such that if they fail to declassify materials their budgets are forced to be realigned in subsequent quarters or years until they make up from the prior year(s)’ shortfalls. Extending the powers of Information Commissioners, which are tasked with forcing government institutions to publish documents when they are requested by members of the public or parliamentarians (preferably subject to a more limited set of exemptions than exist today) might help. And having review agencies which can unpack higher-level workings of intelligence community organizations can also help.
Ultimately, we need to appreciate that national security and intelligence organizations do not exist in a bubble, but that their mandates mean that the externalized problems linked with overclassification are typically not seen as issues that these organizations, themselves, need to solve. Nor, in many cases, will they want to solve them: it can be very handy to keep legislators in the dark and then ask for more powers, all while raising the spectre of the Other and concealing the organizations’ own activities.
We do need security and intelligence organizations, but as they stand today their tendency towards overclassification runs the risk of compounding a range of deleterious conditions. At least one way of ameliorating those conditions almost certainly includes reducing the amount of material that these agencies currently classify as secret and thus kept from public eye. On this point, I firmly agree with Healey and Jervis.
Most fundamentally, is it in Canada’s interest to further normalize the growing use of CNA (Computer Network Attack) activities by states? Should CNA be classified as just another tool of statecraft? Should such capabilities be restricted to a deterrent role? Is cyber deterrence, whether through CNA capabilities or more conventional responses, even a practical goal, given difficulties of attribution and the inevitable overlap between CNE (Computer Network Exploitation) and CNA? Would improved defence and resilience be a preferable, or at least sufficient, response or are all three required?
As effective encryption spreads, it may well be that the future of SIGINT lies increasingly in “end point” operations and other activities designed to cripple or bypass that encryption, and some of those activities could certainly benefit from HUMINT assistance. But there are also pitfalls to that approach. Using on-the-scene people in foreign jurisdictions can mean putting individuals at extreme risk, and such operations also have increased potential to go wrong in ways that could expose Canada to extreme embarrassment and even retaliation. If the government is contemplating going down that road, it should probably be open with parliament and the public about its intentions.
Another new factor is the presence of Canadians in CSE’s hunting grounds. CSE was unable to assist during the FLQ crisis in 1970—it had no capability to monitor Canadians. In the post-2001 era, that is no longer true: the Internet traffic of Canadians mixes with that of everybody else, and CSE encounters it even when it is trying not to. When operating under judicial warrants obtained by CSIS or the RCMP, it deliberately goes after Canadian communications. CSE also passes on information about Canadians collected by its Five Eyes partners.
A special watchdog—the CSE Commissioner—was established in 1996 to monitor the legality of CSE’s activities. Over the years, Commissioners have often reported weaknesses in the measures the agency takes to protect Canadian privacy, but only once, last year, has a Commissioner declared CSE in non-compliance with the law.
Whether CSE’s watchdog is an adequate safeguard for the privacy of Canadians is a matter of continuing debate. One thing, however, is clear: As CSE enters its 71st year, the days when its gaze faced exclusively outward are gone for good.
Bill Robinson has done a terrific job providing a historical overview of Canada’s equivalent of the National Security Agency (NSA). His knowledge of the Communications Security Establishment (CSE) is immense.
Canadians now live in a country wherein this secretive institution, the CSE, is capable of massively monitoring our domestic as well as foreign communications. And, in fact, a constitutional challenge is before the courts that is intended to restrain CSE’s domestic surveillance. But before that case is decided CSE will analyze, share, and act on our domestic communications infrastructure without genuine public accountability. As an intelligence, as opposed to policing, organization its methods, techniques, and activities are almost entirely hidden from the public and its political representatives, as well as from most of Canada’s legal profession. A democracy can easily wilt when basic freedoms of speech and association are infringed upon and, in the case of CSE, such freedoms might be impacted without the speakers or those engaging with one another online ever realizing that their basic rights were being inhibited. Such possibilities raise existential threats to democratic governance and need to be alleviated as much as possible if our democracy is to be maintained, fostered, and enhanced.
Highly classified documents obtained by VICE News offer new insights into how Canada’s two-headed spy apparatus works to blend its intelligence, skirt court oversight of its spying powers, and intercept communications inside the country’s borders.
Christopher Parsons, postdoctoral fellow at the Munk School, says there is long-standing ambiguity over when CSE can and cannot spy on its own citizens. And it’s worrying.
“Generally, we have questions about how meaningful, or not meaningful, Mandate C actually is,” he told VICE News.
Craig Forcese, law professor at the University of Ottawa and one of Canada’s foremost experts on security policy, says Mandate C is a tunnel through the barrier stopping CSE’s from snooping on Canadians.
“If CSE is providing assistance to CSIS under Mandate C, then CSE is clothed with the same legal authority CSIS has,” Forcese says. “So it can act as CSIS’s technological appendix, including in conducting domestic surveillance.”
University of Ottawa Professor Wesley Wark, a specialist in intelligence and national security, says there is need for a review body that can actually investigate how Mandate C is used, “in a way typically that the current CSE Commissioner has not, I don’t think, very fully.”
“The Ministry returned the letter requesting further details to address concerns raised by the Minister’s Office in relation to CSIS authority to enter into subsequent arrangements without further approval from the Minister each time,” reads a summary of changes requested to the documents.
It’s unclear if the minister’s change was actually made.
“If the minister put a stop to that, he should be congratulated,” says Parsons. The simple fact that the agencies were trying to bestow themselves that power is “more than a little bit concerning,” he says.
It’s long been speculated that signals intelligence has been the basis for many warrants and criminal charges, but that the fingerprints of CSE’s involvement were scrubbed before the application to the court was made.
“There’s a real question whether it’s CSE or CSIS in the driver’s seat,” says Parsons.
I published a comment piece with the National Post today that quickly summarizes the importance and harms of Canada’s signals intelligence activities, especially as it pertains to persons living in Canada.
The key takeaway is:
Canadians are routinely accused of having sleepwalked into a surveillance nation. We haven’t. Instead, the federal government of Canada has secretly deployed mass-surveillance technologies focused on domestic and foreign communications alike and, even when caught red-handed, the government refuses to have a reasonable conversation about the appropriateness or legality of such technologies. Canadians deserve better from their government. More oversight and accountability is needed at a minimum, and cannot be dismissed as “red tape” given the magnitude of the surveillance operations conducted upon the population of Canada by its own government.
Canada’s electronic surveillance agency has secretly developed an arsenal of cyberweapons capable of stealing data and destroying adversaries’ infrastructure, according to newly revealed classified documents.
Christopher Parsons, a surveillance expert at the University of Toronto’s Citizen Lab, told CBC News that the new revelations showed that Canada’s computer networks had already been “turned into a battlefield without any Canadian being asked: Should it be done? How should it be done?”