CSE’s Cyber Shakeup

The House of Commons is now on summer break, but before everyone headed off, the The Trudeau/Goodale Liberals introduced a monumental rework of Canadian intelligence and security institutions. This accomplishes some of what the Liberals previously indicated, but as Wesley Wark points out, such substantial changes to Canada’s national security bureaucracy are surprising. The implications are complex, with major reform for those overseeing CSIS and CSE (two new institutions: the National Security and Intelligence Review Agency and the Intelligence Commissioner) and changes to CSE’s mandate.

Experts and politicians have some time to chew on this bill’s different aspects, and for all things CSE, an important view is the Lux Ex Umbra blog. However, here I want to offer a couple of thoughts on the cyber aspects of the reforms.  As others have pointed out, these reforms will help to normalize certain types of acts (network exploitation and attack). One argument is that Canada’s new framework will help normalize in the international arena what a lot of states have been doing covertly, under dubious legal authority — “effects” like hacking and exerting influence in various domestic and foreign jurisdictions. The Canadian approach could either be a model for others interested in legal reform, or contribute to making these actions more acceptable and legitimate around the world. Domestically, this is also a normalization of the sorts of things that CSE has done, or wanted to do, for some years now.

There’s an upside and downside here. If you assume that this is the sort of stuff the Five Eyes and CSE would be doing anyway, it’s good to have it under an explicit legal framework that can “reflect the reality of global communications today and participation in international networks such as Five Eyes”. From this view, the reforms are an improvement in accountability and oversight. On the other hand, if you think this is precisely the sort of thing governments should reject (and the focus should be purely on cyber defence and passive techniques), then the last thing we should do is put a government stamp on it. Instead of updating the law to legitimate what has been going on, we need to stop the most controversial activities revealed by Snowden (weakening crypto, hacking Google data links and compromising LinkedIn accounts of Belgian telecom engineers).

In Canada, we have never had a debate about these questions. The national security consultation that ostensibly informs this move was not designed to ask them. Canada’s role in the Five Eyes is not under revision, and Bill C-59 is meant to better “align ourselves” with these cyber “partners”. The partners are meeting this week, amid an active push by allies (specifically, Australia) to get Canada’s cooperation in countering encryption. There’s little indication where Canada stands on these questions today. However, given what appears to be our holding-steady with the Five Eyes and C-59’s new legal framework, CSE can still end up promoting insecurity, in secret, at our allies’ request.

Ultimately, the success of C-59 will depend on how effective the new accountability mechanisms are. Canada’s previous experience includes government assurances about legal compliance and oversight, while routine illegality and surprising legal interpretations are carried out in secret. Some of this previous experience (like the CSIS ODAC database) is addressed in C-59, but on the must fundamental question — what kind of security will Canada promote in the world? — we seem to be doing what Canada has done since we hitched our national security to the U.S. in late WWII: defaulting to our allies. We may have some bold new security legislation (and a Minister of Foreign Affairs who recently made big statements about the need to “set our own clear and sovereign course“),  but old concerns about the lack of a distinctly Canadian approach to international and cyber security are as relevant as ever.