Paper Blog: The CSE Act and Canadian Cyber Security Practices

https://www.gg.ca/en/heraldry/public-register/project/1744

In 2019, the Communications Security Establishment (CSE) had its mandates expanded under the CSE Act from three to five, with the two newest additions authorizing the agency to conduct “active” (offensive) and “defensive” cyber operations. My paper asked the following question: What significance does the CSE Act’s new mandates entail for the CSE’s role in enforcing Canadian cyber security? Based on findings, the CSE Act highlights the expanding capabilities that the organization has honed since gaining statutory legitimacy in 2001 to defend Canada from new and emerging threats in the cyber realm. However, the agency’s practice of secrecy does little to improve transparency on what the CSE will do with its new powers and may liberally interpret the Act.

CSE’s Addiction to Secrecy. Why? That’s Because it’s [ Statement Redacted]

Much of what we do know about the agency is due to the Edward Snowden revelations (less than 40 files!) (Clement, 2021). Much of what I have been able to assess regarding the agency’s capabilities was reliant on these files. This reveals an interesting observation: Compared to the CSE’s cousin, the National Security Agency (NSA), much less is known about the CSE. This is by design. Legislation and compartmentalization inside the agency ensure that its secrets remain unknown to the public (Walby, and Anaïs, 2012). The next paragraph goes further into this:

This highlighted sentence does not hold any secrets and neither do the other ones. This highlighted sentence does not hold any secrets and neither do the other ones.

Moving on… there are two more important reasons for this secrecy: First, statutory law provides the agency a “legal shield” to legitimately conduct its practices with less legal interference and oversight (Walby, and Anaïs, 2012, 377). Second, the CSE’s strict adherence to secrecy has been influenced by the Cold War—a period of the CSE’s history where it honed much of its skills—which pre-dates the arrival of the Canadian Charter of Rights and Freedoms and other legislation protecting individual rights (Prince, 2021).

Communication Security Establishment's cyberwarfare toolbox revealed | CBC  News
“Tactically” acquired from, https://www.cbc.ca/news/canada/communication-security-establishment-s-cyberwarfare-toolbox-revealed-1.300297

What is Inside CSE’s Toolbox?

Before the Act’s ascension into law, the CSE still developed its cyber capabilities. The Snowden Files reveal that the CSE’s capabilities in offensive and defensive cyber operations were established by the early 2010s. For example, in 2015, the CSE added the NSA’s hacking software (QUANTUM) to its toolbox for conducting its cyber targeting missions across the globe (Seglins, 2015). The Who may be its targets is not well known. The CSE’s “normal global collection” of data is also unspecific and likely intercepts Canadian information abroad and has the infrastructure to do so inside Canada, as shown by the controversial Airport Wi-Fi Data-Tracking story (Clement, 2021, 131). This begs the question of how far the CSE may intrude on Canadians’ privacy regarding the CSE Act, which The Canadian Civil Liberties Association claims will harm the public’s freedom of expression (CCLA, 2017).

Image “ransomed” off the following site: https://cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2020

What Does This Mean for Ottawa and Canadians?

Secrecy will be met with distrust and suspicion. This has been the case for Canada because oversight and transparency remain challenges to properly institutionalizing (Prince, 2021). Despite calls for greater accountability, Canada’s national security concerns since the early 2000s and has made Ottawa willing to expand the CSE and its intelligence contemporaries’ powers to conduct practices that are intrusive (Prince, 2021, 48). Since 2020, the COVID-19 pandemic has pushed the CSE to the forefront of Canadian national security to address the rising number of cyberattacks (Robinson, 2021). Undoubtedly, however, Canada’s cyber capabilities are strengthening, which is good for Canada’s internet infrastructure. But the question remains about how intrusive the CSE’s operations may be toward Canadians.

(While this concludes my blog, I recommend the following articles/books to read if this subject found to be interesting)

  • Pozen, David E. “Deep Secrecy,” Stanford Law Review 62, no. 2 (2010): 257-340
  • Carvin, Stephanie, Thomas Juneau, and Craig Forcese. Top secret Canada: Understanding the Canadian intelligence and national security community. Toronto, ON: University of Toronto Press, 2020.
  • Lyon, David, and David M. Wood. Big data surveillance and security intelligence: The Canadian case. Vancouver Toronto: UBC Press, 2021.

And finally, check out this fifth source:

Works Cited

CCLA. “The New Communications Security Establishment Act in Bill C-59.” Canadian Civil Liberties Association, 12 September 2017. https://ccla.org/privacy/national-security/the-new-communications-security-establishment-act-in-bill-c-59/ (Accessed 26 March 2022).

Clement, Andrew. “Limits to secrecy: What are the Communications Security Establishment’s capabilities for intercepting Canadian internet communications?.” In Big Data Surveillance and Security Intelligence: The Canadian Case. Edited by David Lyon and David Murakami Wood, 126-146. Vancouver, BC: University of British Columbia Press, 2021.

Ericson, Richard V. “The state of preemption: Managing terrorism risk through counter law.” In Risk and War on Terror. Edited by Louise Amoore and Marieke de Goede, 57-76. Oxon, UK: Routledge, 2008.

Lagassé, Philippe. “Defence intelligence and the Crown prerogative in Canada.” Canadian Public Administration 64, no. 4 (2021): 539-560.

Robinson, Bill. “Collection and Protection in the Time of Infection: The Communications Security Establishment during the COVID-19 Pandemic.” In Stress Tested: The COVID-19 pandemic and Canadian national security. Edited by Leah West, Thomas Juneau, Amarnath Amarasingam, 127-144. Calgary, AB: LCR Publishing Services, 2021.

Seglins, Dave. “Communication Security Establishment’s cyberwarfare toolbox revealed.” CBC, 23 March 2015.https://www.cbc.ca/news/canada/communication-security-establishment-s cyberwarfare-toolbox-revealed-1.3002978 (Accessed 17 March 2022).

Prince, Christopher. “On denoting and concealing in surveillance law.” In Big Data Surveillance and Security Intelligence: The Canadian Case. Edited by David Lyon and David       Murakami Wood, 43-56. Vancouver, BC: University of British Columbia Press, 2021.

Walby, Kevin, and Seantel Anaïs. “Communications security establishment Canada (CSEC), structures of secrecy, and ministerial authorization after September 11.” Canadian Journal of Law & Society, 27, no. 3 (2012): 365-380.

Join the Conversation

56 Comments

  1. Great blog post William, very well put together and informational on some more localized personal issues that impact us (as in the general privacy of all persons in Canada). As a citizen I understand why we should always demand more transparency from the governing bodies, as they are put in place for us and by us, but I can also see the balance that the Canadian cybersecurity forces need to to keep a tight lip on some of their operations and whatnot. I just hope that the CSE and these cyber security firms are keeping the interest of the people first, as in protecting national infrastructure from outside attacks and provided safe and secure telecommunications for the citizens, rather than simply spy on us for the sake of ‘national security’… we already have google, facebook, &c. for that.

  2. It’s interesting that many of Canada’s governmental agencies are less familiar to us than our American counterparts. Anyone who has watched a cliché Hollywood crime/investigative film involving the FBI/CIA/NSA has likely a good basic idea of what these organizations do.
    I’m willing to wager that most Canadians are not aware of the CSE, CSIS, Public Safety Canada (PS), Shared Services Canada (SSC) and the types of role they fulfill in our society. In fact, I did not even know this until recently. Even the RCMP deals with federal level cyber-crime related activity, a stark contrast to the image we have of people in red coats with funny hats. While opinions tend to weigh on the extreme sides of the spectrum with regards to these secretive agencies, I think now more than ever is an example of why sometimes secrecy can be beneficial. The question becomes, at what cost, and is that a price we are willing to pay.
    I see this as a general issue with representative democracies as a whole, especially those responsible for governing the lives of millions of people.

    1. You are correct! In 2017 or 2018, only 3% of Canadians could tell the interviewer what CSE stood for and what they were responsible for. Surprisingly, this number appears to have gone down to 2% in 2020, a year after the CSE Act gained royal assent! I got that from a government-backed study:
      Canada. Communications Security Establishment. Attitudes towards the Communications Security Establishment – tracking study: Final report (Ottawa, ON: Communications Security Establishment, 2020), 1.

      1. That’s quite interesting. I wonder if the lack of focus on this topic in highschools (and even some post-secondary institutions) is intentional.

      2. That’s quite interesting. I wonder if the lack of focus on this topic in highschools (and even some post-secondary institutions) is intentional.

  3. Great post! A few things that really caught my attention were the idea that the CSE had made its protocols before the Canadian Charter of Rights and Freedoms was introduced as well as the fact that we only know some of it due to Snowden, who helped shed light upon unethical practices these security agencies were participating in. I value my information greatly, so these vague guideline that they put out worry me because it gives them powers to do what they want by greying the line, even if they may not have my consent. While I understand that they try to do this for “protection”, a lot of people are being harmed by invasive protocols.

  4. Interesting post! As a few other commenters have noted, it’s interesting to consider the interplay between the constitution and the statutory objectives and powers granted to the CES. The Constitution, of which the Charter is a part, is the supreme law of Canada, and anything that conflicts with it is rendered unenforceable purely by virtue of that conflict. However, if noone is there to raise a Charter complaint regarding the legislation, then the courts won’t be given the opportunity to review it or throw it out for being unconstitutional. It’s what some might consider to be a weakness in the Charter protections afforded to Canadians. Also, I am a bit curious as to what you believe to be the implications of the fact that many of the CES’ practices predate the implementation of the Charter.

    1. Thanks for asking! According to one of the chapters in the recommended book, “Big Data Surveillance and Security Intelligence”, Christopher Prince notes that the CSE was established long before the Charter came into effect (1946). This means that the agency’s strategic culture was more impacted by the Cold War than the law. The environment an actor finds themselves in has a strong impact on their culture and their views. CSE most certainly has been impacted by the Cold War and continues to uphold its lessons from the period of its history. The chapter goes into further detail of the complex relationship between secrecy and the ‘law’.

  5. Good Post! The fact that we know less about the CSE than we do about the NSA, coupled with how they have protocols created before the Canadian Charter of Rights and Freedoms paints them as a rather powerful organization. It also seems that this agency is only getting stronger. On one hand (as you’ve mentioned) the CSE’s strength provides Canada with an essential cyber security defense, especially against would-be foreign attackers (looking at you Russia). On the other hand, such strength could be turned on the Canadian people, potentially violating privacy freedoms (many of which were established in the Charter).

    1. I completely agree with your statement. The lack of transparency is concerning. CSE appears to be a double edge sword and since we cannot see the blade, we can never know until it is thrust upon us. I wonder what purpose they would now serve since the cold war is over. Additionally, it would make a lot more sense if this information was made public for people to see. I cannot come up with a solid rationale as to why it would be hidden from the people at this point in time. Maybe to circumvent regulation and oversight would be my strongest guess.

  6. Very interesting post, it is great to be educated on how the CSE is working (or how little we actually know about it)! I assume it is to be expected that every Government Agency is doing some sort of operation that nobody is supposed to know about, but still it feels like it should be a simple right to every citizen to know all about the government’s operations (perhaps there are also a lot of operations I am happy I do not know about). But as in every aspect of life in a society, secrecy does not seem trustworthy, and especially a Government Agency that is supposed to keep its citizens safe does not gain a lot of trust by keeping most of their work secret. Thank you very much for writing about this topic!

  7. Before reading your post, I had never even heard of the CSE. I was aware that Canada had an intelligence apparatus, but erroneously assumed that all functions – including cyber security – were handled under the aegis of the Canadian Security Intelligence Service (CSIS). Upon closer inspection (read: after googling it briefly), the CSIS mandate is to collect, analyze, report, and disseminate intelligence on threats to national security, and conduct operations both covert and otherwise within Canada and abroad. This conspicuously does not include cyber security and information assurance, which are under the CSE mandate. It also appears that the CSE is headed by the Minister of National Defense, signifying closer ties to the Canadian Armed Forces than CSIS, which is headed by the Minister of Public Safety. Overall, I agree that it’s concerning that Canada has such an opaque agency handling critical cyber security functions with questionable levels of public oversight.

    1. Good observation! CSIS and the CSE are the primary intelligence agencies inside Canada, but according to “Top Secret Canada”, there are around 12 agencies and departments that engage in intelligence in one way or another. CSIS primarily focuses on HUMINT while CSE focuses on SIGINT and IT security. One of the newest agencies is FINTRAC (created in 2000) which conducts FININT (Financial intelligence) to collect and analyze financial transactions to identify money-laundering or terrorist financing. I only learned about some of these agencies when I bought the book by the end of last year.

  8. Great post. I have never heard of the CSE and after reading this post , I am now aware of it. It is so shocking to know that they are the one’s who handled the cyber security aspect. The Government should not do things in the dark because the effects are on us citizens, either way, we should be safe.

  9. It’s an interesting post. I did not have any idea CSE before. I learned a lot from this post. Specially how they work and all that. Especially how sometimes government do things in dark which we are not aware of.

  10. This is a fantastic article! The fact that the CSE developed its protocols before the Canadian Charter of Rights and Freedoms was enacted, as well as the fact that we only know a portion of it thanks to Edward Snowden, who helped shed light on unethical practises by these security agencies, were two things that piqued my interest. I respect my data highly, but these foggy guidelines concern me since they give them the power to do whatever they want by blurring the line, even if I don’t approve. While I respect their efforts to protect individuals, invasive protocols are harming a large number of people.

  11. Best Post, here are some facts about Cyber Security: 160,000 Facebook accounts are compromised per day – a type of user data theft. 41 percent of companies have over 1,000 sensitive files open to everyone. In 2018 there is a hacker attack every 39 seconds that affects 1 in 3 Americans each year. In 2017, the FBI estimated that ransomware infected more than 100,000 computers a day around the world. According to Microsoft, 20% of small to mid-sized businesses have been cybercrime targets. Thank you so much for providing such an informative blog.

  12. Very interesting article; it’s fantastic to learn more about how the CSE works (or how little we know about it)! I imagine that every government agency is doing some sort of operation that no one is meant to know about, yet it still seems like every person should have the right to know everything about the government’s operations .

  13. Great Post! I loved how you explained secrecy in the last and I would love to know the answer to how far the CSE may intrude on Canadians’ privacy regarding the CSE Act?

  14. Great Post! I loved how you explained secrecy in the last and I would love to know the answer to how far the CSE may intrude on Canadians’ privacy regarding the CSE Act?

  15. It was a very interesting post, I never knew what CSE was before until I read this. I have heard of NSA before but Canadian security agencies is the first time I am hearing of. Even though government claims that the protocols that they set are for the interest of the citizens, but often these information are not widespread so many people do not know about this. In my opinion, there should be secrecy but to a certain level, so that there is at-least somewhat transparency between the government agency and the tax paying citizens with whose money such agencies run. I believe a country can only succeed only when the people and its government work together for a better and secured digital society.

  16. Great post! All governments claim that their primary objectives are aimed at serving the interests of their citizens. Furthermore, they claim that all actions and decisions, regardless of how egregious they might seem, are done to serve the people. We all are aware that this is simply not the case across the globe. With regards to cybersecurity, it is essential that governing bodies strive to maintain secrecy, which might often include a refusal to share information with the public, and collect information about the public, etc. NSA has been doing this for years, and much of the surveillance they have garnered has prevented terrorist attacks and other large-scale premeditated attacks, in some cases. Obviously, their surveillance has contributed to the collective good of humanity, but they have also garnered an infamous reputation for unlawful “spying” on citizens. The real question here is: where do we, as citizens, draw the line? Do we sacrifice our individual privacy for the collective good? Tough call.

    1. Good question. Recently, the CSE got its annual budget nearly doubled in Ottawa’s efforts to respond to Russia’s aggression in Ukraine. While this will no doubt improve our own cyber resilience ten-fold, this will also mean that the CSE’s operations inside Canada may become more intrusive. Presently, the CSE’s importance is making the agency ‘entrenched’ inside Ottawa’s mindset for identifying threats before they occur.

    2. This would be difficult for ordinary Canadians to do, in my opinion. Only 2% of Canadians know about the CSE and what are its responsibilities, which makes pushing Parliamentarians to act in the people’s interests and pass new privacy laws all the harder. Since so few Canadians know about the agency, not only is making a movement hard, but sustaining a movement when the CSE could try to distance itself from the public until the political winds pass.

  17. Nice post. I had no idea what the CSE was so I really liked learning about it. It’s kind of scary that this organization can liberally interpret the CSE Act and not be transparent about their actions. Even though they are protecting us from cyberattacks, there needs to be concern for our privacy as well.

  18. Interesting post! Actually almost every country in this world has to face the problem between the management of government and citizen’s privacy. For example, during the COVID pandemic, in China, people’s daily routine is closely under the supervision of local government to make sure that positive patients will not spread the virus. This policy does somehow invade personal privacy but according to China’s special national conditions and extremely high population density. It is a reasonable way to make everything under control.

  19. Great article! Love all the sources. When initially reading your article, I thought the addition of the two new mandates would improve our country’s capabilities however the lack of transparency from the CSE does bring up some concerns. I do think and have thought for a while now that Canada should improve its cybersecurity capabilities, especially being so close to the USA who is a military superpower. I think doing so would help us immensely. Looking at the reasonings behind how and why Israel became one of the worlds leading countries on cyber security, the costliness of war on lives as well as the need for heightened security on an independent level. Relying on the deterrent of the USA is not enough in my opinion.

    References: https://www.youtube.com/watch?v=ca-C3voZwpM (How Israel Rules The World Of Cyber Security | VICE on HBO)

  20. I liked how you mentioned that secrecy would cause suspicion and there could be a lack of oversight, I wonder if the CSE had experience something like the NSA did where they had found an exploit and it leaked causing a lot of damage. It seems like with secrecy we cannot ensure that the CSE respects our privacy and ensures our safety. In addition I wonder if the lack of recognition could cause a lack of qualified individuals to be working in the CSE, since I personally haven’t heard of the CSE and as mentioned by William only 2 percent of Canadians knows what CSE stands for.

  21. Great post! Amazing how much research you did about this to present us with such important information! It’s really crazy to see this and think about how little we often know but organization that are playing a big role in our society. Secrecy can often cause a lot of distrust and uncertainty amongst citizens and often times this is where people will start to come up with conspiracies or other answers of their own to fill in the questions that were left unaddressed. The motives may be good but their methods not and due to the lack of transparency their is no way to really know what they are truly up to.

  22. This is a very interesting post. I would have never imagined that we have an NSA at home. The very fact that it is secret is quite concerning because it lacks transparency. We could have our whole lives under a microscope and no one would no expect the central agency. I think this information should be made public so Canadians can understand the inner workings of the government and to better protect themselves from intrusion. ALternatively, it would be interesting to learn what purpose they serve in a post-cold-war world. Our main aggressors are China, Russia, and Iran. Additionally, it would be interesting to look at the connection that is established between the United States and Canada as to how they share information and what use they make of it, domestically and internationally.

  23. Interesting post! Actually just like most comments mentioned that most Canadian do not know many governmental agencies, as a Chinese, I also can barely name a governmental agency. I agree that it is beneficial to the society that there are more people learn about these type of organization. But meantime, from my point of view, it would be better for their works if organizations similar to FBI or CIA remain mysterious. Because they are working on things that should not reveal to people.

  24. Great post. Nowadays, a lot of people get bullied online if they don’t fit the “ideal” image that people want. CSE definitely brings up some secrecy issues. Our privacy should be protected. Overall, good job!

  25. Very well written post! The more I learn about the Canadian government, the more I realize just how much is being hidden from us. I am always hearing about new government organizations, and at this point it seems like I know more American government organizations than Canadian ones. I understand that information needs to be kept secret in order to keep the country safe, but the government should at least inform its citizens about organizations that may be affecting them. This post was really professional, nice work!

  26. Very informative post. It is very interesting to hear what the Canadian government is planning to do in response to modern cyber security threats. I feel as though this would fly under the radar for most Canadians. I believe that most Canadians are unaware of Canada’s legislation in Cyberspace. The amount of secrecy of this act could be a cause for concern. I sincerely hope that the Canadian government leans towards transparency.

  27. Interesting post! The CSE is one of the agencies that I was not aware of previously. CSIS is one that I knew prior to this post. Although it makes sense that there are several agencies for different specializations. I wonder why Canadians have little to no knowledge on these agencies compared to the United States. Maybe leaks such as the WikiLeaks and Edward Snowden’s NSA leaks makes the USA agencies more interesting. I wonder if we will get any Canadian leaks

  28. Interesting post! Prior to reading this, I had no idea Canada had a cyber security organization called CSE. It’s also surprising to read about how much power they have as well. And this can be a concern or not a concern at all depending on your perspective. On one hand, their secrecy (and maybe some intrusive methods) allows CSE to protect Canada and its citizens from cyberattacks. While on the other, there’s a concern of what the CSE might do with your personal data. Once again, there’s another dilemma.

  29. Great post! This is my first time hearing about the CSE. I’m also surprised by how much power they wield especially for being so obscure. But I think that’s by design since this would probably be very controversial if more Canadians knew about this. Personally, I find their secrecy and lack of transparency very concerning, especially with the power they wield. Their history isn’t exactly assuring either, the fact that they’ve been performing a normal collection of data is not exactly a good look.

  30. Great post. I had never heard about CSE before but this is definitely a good thing to know about. I was surprised to learn about how much power the CSE has though. This may be a bit of a problem because with this power they can probably gain access to a lot of personal information.

  31. Pingback: socom 16
  32. Pingback: Ford Everest
  33. Pingback: daftar altogel
  34. Pingback: ผ้าวน
  35. Pingback: bk8
  36. Pingback: lottorich28
  37. Pingback: cat888
  38. Pingback: เน็ต AIS
  39. Pingback: เน็ต AIS

Leave a comment