So you want to 'hack back'
The National Security and Intelligence Review Agency explores command and control
In 2019, the Communications Security Establishment was provided with stand-alone legislation (the CSE Act) and new powers. The new powers—which were significant and moved CSE beyond its traditional role as a collector of foreign intelligence and a centre of expertise for the government on cyber security--involved something called Active and Defensive Cyber Operations (ACO/DCO).
Both are preventive capabilities, designed to allow CSE to interfere with the capacity of a foreign actor to harm Canada’s federal cyber infrastructure or its conduct of foreign policy, defence or national security. Colloquially, they allow CSE to “hack back,” a power also possessed by Canada’s key Five Eyes signals intelligence partners.
Given the sensitivity and potential international ramifications of such operations, they require a Ministerial “dual-key” approach. The Minister of National Defence, who is accountable for CSE, must approve such operations using a highly classified and tightly held directive called a Ministerial Authorization (none have ever been made public). The second key is held by the Minister for Foreign Affairs, who must approve any Active Cyber Operation and must be consulted on any Defensive Cyber Operation.
The potential impact of these new powers and the dual key system for approval raise the stakes for governance and accountability. They require close cooperation between CSE and GAC and a close eye by the Ministers involved.
How well is the system of command and control working? That is a question that the National Security and Intelligence Review Agency set out, some years ago, to answer. Although the time frame of their study concludes in the summer of 2021, two years after the new powers were confirmed in law and one year after the first set of Ministerial authorizations were granted, their completed review is only now being released, with no explanation for the delay. [1] The possibility looms large that what we are now reading is no longer current. NSIRA also promised a review of the operational side of ACO/DCO, which was meant to be completed in 2022. No word on when that review might be released.
The public version of the NSIRA review is heavily redacted, as might be expected. It is also clear that the NSIRA review is designed as a closed-loop dialogue between it and CSE. Public education is certainly not its primarily purpose, which is, I think, a shame. There is no background provided on CSE, no discussion of the Parliamentary and public debate over the CSE Act between 2017 and 2019, no analysis of the distinction between CSE’s cyber security mandate and its defensive cyber operations mandate, no analysis of how new CSE authorities might match those of other Five Eyes powers. No discussion of the potential importance of these new powers. Readers are unlikely to be able to make much of NSIRA’s concern about how ACO and ACO may generate parallel or outcome streams of foreign intelligence—an important, but shrouded, point.
The general thrust of the NSIRA review is that it would like to see a further tightening of the governance and accountability mechanisms controlling these new powers. Fair enough, though we don’t know how much progress has been made on this front since the report was concluded. NSIRA’s desire for greater precision around the international law framework for these activities seems to collide with the recognised fact that there is no established international law framework for activities in cyber space—its evolving and remains under development, as the report acknowledges.
NSIRA would also like to seek greater clarity around the distinction between active and defensive cyber operations, fearing that misclassification could undermine accountability and governance and lead, somehow, to a “heightened risk” to Canada’s international relations. CSE and GAC have responded to this by stating that the distinction is clearly set out in the CSE Act and nothing more is needed.
In this midst of this heavily redacted report there are important, small reveals. One is that Ministerial authorisations for ACO/DCO stipulate that these operations must align with Canadian foreign policy and with the Government’s intelligence priorities. In fact, the CSE Act is the only piece of sprawling national security legislation that requires an intelligence organisation to conduct its operations in accordance with Government intelligence priorities (this is specified in the Act for the conduct of foreign intelligence). It’s a statutory requirement that could be usefully extended to other national security acts.
NSIRA wants more here—its wants a better demonstration in Ministerial Authorisations of how exactly ACO/DCO fits within intelligence priorities. But to underscore this point, and again, in the interests of sense-making for a public audience, it might have discussed the nature of Canadian government intelligence priority-setting and outlined exactly what would be achieved, not least in the context of the generality of intelligence priority lists as they are constructed on a strategic level.
NSIRA would also like to see a greater role for the National Security and Intelligence Adviser in bringing a whole of government view to bear on CSE ACO/DCO. This harkens back to a time, more than a decade ago, when national security advisors actually had oversight authority for CSE operations. This was abandoned because it was felt that the NSA did not have the expertise to properly exercise this power and it was felt to be duplicative of the authority of the CSE Chief. But ensuring that important CSE operations are not too siloed in government is surely a worthwhile objective, so long as bureaucratic consensus is not the objective. There are existing committee mechanisms to try to ensure this consultation takes place.
As ACO/DCO operations were being set in motion, we learn from the NSIRA report that one of the key holders, the Minister for Foreign Affairs, agreed on the utility of these activities but wanted to use this capability “with caution in the initial stages.” Whether the Government has broken past this initial caution or remains risk-adverse is not discussed in this review. Missing in the review is any discussion of coordination with Five Eyes partners in ACO/DCO and the governance and accountability problems this might create.
Overall, the NSIRA report is reassuring about the work that was put in by CSE and GAC in the initial stages to ensure that a governance and accountability framework for sensitive active and defensive cyber operations was established. It wants fine-tuning but doesn’t find major gaps. As it states in the conclusion: “NSIRA is satisfied that CSE has, to date, developed a comprehensive governance structure, and commends it regular engagement with GAC to develop a consultation framework that sets out the roles and responsibilities of bnoth departments.”
Now, someone needs to talk to Canadians about these operations, the need for them, the risks involved, the challenges, and the potential pay offs.
For that we might need to wait for the government to deliver on its recent promise, in the Defence Policy Update, to produce a national security strategy. I hope that wait is not too long, or the promise doesn’t get lost in political headwinds.
[1] National Security and Intelligence Review Agency, “CSE Governance of Active and Defensive Cyber Operations,” released April 30, 2024, https://nsira-ossnr.gc.ca/en/reviews/ongoing-and-completed-reviews/completed-reviews/cses-governance-of-active-and-defensive-cyber-operations/