Canada’s cyber spy agency is about to get a major upgrade

Canada’s main international cyber agency is gaining the power to launch cyber attacks worldwide to take action against terrorist organizations, state-sponsored hackers, and foreign governments.

New legislation, tabled Tuesday, will give the Communications Security Establishment the power to do everything from targeting foreign hacking groups to taking out Islamic State propaganda.

The new power will embolden CSE to conduct those cyber attacks on its own, but also give it authority to cooperate with the Canadian military to conduct cyber operations during military missions abroad.

What remains unclear, however, is exactly where the line will be drawn between cyber activities that CSE can take on its own, and which activities need to be conducted alongside the military — and thus be governed by the laws of armed conflict and the rules of war.

The wide-ranging national security overhaul tabled by Public Safety Minister Ralph Goodale on Tuesday also formalizes the establishment’s ability to tap into the backbone of the internet to conduct foreign intelligence gathering.

“What this allows us to do here is, one, align ourselves with our other Five Eyes [intelligence sharing] partners to be able to give, stay up to the technological advantage, to have the ability to making sure we have all the tools within our national security framework to be able to deal with the threats,” Defence Minister Harjit Singh Sajjan told reporters on Tuesday.

CSE, which does roughly the same job as the American National Security Agency, has long been known to engage in widespread digital surveillance, so that much isn’t exactly new. But giving it new tools to take aim at foreign adversaries online is set to offer the establishment a serious new role when it comes to intelligence and defence.

Authorities for the spy agency had, previously, been secretive and drawn up on classified letterhead by the minister of national defence. Now, many of those powers are written in black-and-white in the law.

Under the new legislation, CSE’s job description has been made a whole lot clearer. In general, the act lays out five areas that the establishment is responsible for. CSE has also provided some direction on how these powers would work on the ground, through background briefings with journalists and explainers posted to their website.

Since the end of World War II, CSE has been mostly responsible for foreign surveillance, intercepting communications, and cryptography. Under C-59, that power get spelled out in a very specific way, with a direct recognition that CSE can covertly target the “global information infrastructure” — which could include the fibreoptic cables that make up the internet — just so long as it’s not in Canada. The establishment has been covertly doing this for years, as was revealed in leaks released by former NSA contractor Edward Snowden showing CSE had tapped the very backbone of the internet at more than 200 locations around the world in order to identify threats.

What C-59 says: If the minister of foreign affairs authorizes it, CSE’s abilities include: “Installing, maintaining, copying, distributing, searching, modifying, disrupting, deleting, or intercepting anything; doing anything that is necessary to maintain the covert nature of the activity; and carrying out any other activity that is reasonable in the circumstances and reasonably necessary.”

What CSE says: “What it’s doing is maintaining our ability to collect foreign signals intelligence. Certainly what it’s doing is providing much more transparency, it’s much more precise in terms of what we can do in cyberspace in order to collect foreign signals intelligence,” said one senior CSE official, when asked about the bill’s specific mention of the “global information infrastructure.”

With fears increasing that Canada could be the target of a large-scale cyber attack, CSE has ramped up its work on cybersecurity in recent years, especially as previous attacks — which have ranged from hacktivist denial-of-service attacks on government websites to state-sponsored intrusions into sensitive government research — have made Ottawa look helpless to defend itself.

What C-59 says: CSE will be given wide berth to do whatever is necessary to run defence for the government of Canada, including tapping into the backbone of the internet or accessing any government computer network — Canadian or foreign — and, with permission, private infrastructure as well. The Minister of National Defence must deem it necessary for Canada’s cybersecurity.

What CSE says: “What will do is continue to set up shields, and try and protect ourselves as best as possible. What a defensive cyber operation would allow us to do is to actually figure out where the source of this attack is coming from and shut it down at the source,” said one senior CSE official.

The new part of CSE’s mandate is offensive cyber operations, which puts the establishment in an interesting gap between CSIS, which is responsible for intelligence work abroad, and the Canadian Armed Forces, which is now responsible for cyber operations during conflict. Finding out where CSE fits into things will be an interesting proposition.

What C-59 says: With sign off from the foreign affairs minister, CSE can deploy a lot of the same tools it uses to conduct intelligence-gathering, but to much different ends. Cyber operations could do anything from taking entire governments offline to shutting down power plants or knocking drones out of the sky. The law forbids any activities that could cause death or injury or that could “obstruct, pervert or defeat the course of justice or democracy.” Those limitations, however, wouldn’t apply if CSE were conducting cyber attacks on behalf of the Canadian Armed Forces.

What CSE says: “If the government of Canada decides there is a server somewhere in the world [that’s] radicalizing Canadians, that doesn’t fall within a specific military mission, how do you go about doing something to that particular server to address the radicalization activity that’s going on? That’s where you could rely on CSE,” one senior CSE official told VICE News.

CSE has long had a little-understood power, authorizing it to cooperate with other law enforcement and intelligence agencies. It’s generally understood that the Canadian Border Services Agency, the Canadian Security Intelligence Service, and the RCMP have used CSE to intercept communications and decrypt locked systems. It’s under this mandate that CSE is allowed to surveil and watch Canadians.

What C-59 says: The bill will require that the requesting agency has a warrant for the surveillance they’re seeking help with. It will also expand the CSE’s authority to allow it to lend a hand to the Canadian Armed Forces for any activity that takes place in the course of a military mission.

What CSE says: “CSE won’t be doing anything on its own … This will complete the picture in terms of how CSE’s sophisticated cyber capabilities can be leveraged by partners and by the government to disrupt any threat online. So, with CSIS, we’re going to be leveraged to stop domestic threats online, [and with the Canadian Armed Forces], helping to disrupt threats within a military context,” said one senior CSE official.

Under the agency’s mandate, it is not allowed to surveil Canadians, unless it is doing so at the behest of another Canadian agency. But there has long been confusion and question over exactly how those symbiotic relationships would work.

C-59 is significantly more up-front about that issue that the current law. The bill maintains that CSE can collect information on Canadians, so long as it was collected “incidentally” — namely, that CSE wasn’t targeting the Canadian.

The bill also says that if CSE believes “there is an imminent danger of death or serious bodily harm to any individual” and surveilling a Canadian will avert the danger, it has the authority to conduct the operation.

The legislation will also require that CSE gets approval for its foreign intelligence and cyber operations from the newly-created role of intelligence commissioner — a big step up from its current approval process, which is largely limited to the leadership of CSE and the minister of national defence.