The National Security and Intelligence Review Agency (NSIRA) aims to get under the skin of Canada's security agencies.
Is its challenge function working?
The National Security and Intelligence Review Agency (NSIRA) is a key element of a radically reshaped system for the conduct of independent, external review of Canada’s security agencies. It operates alongside the National Security and Intelligence Committee of Parliamentarians (NSICOP) and the Intelligence Commissioner (OIC).
NSIRA is a review body, and it is still new. It was established following the passage of national security legislation in July 2019, alongside the Office of the Intelligence Commissioner. Its core functions including reviewing on an annual basis the activities of two key intelligence collection agencies, CSIS and CSE, as well as reporting on both to their respective Ministers, and reviewing compliance with legislation regarding domestic intelligence sharing (the “Security of Canada Information Disclosure Act”) and intelligence-exchange arrangements with foreign partners to ensure Canada is not complicit in torture and other forms of mistreatment (the “Avoiding Complicity in Mistreatment by Foreign Entities Act”).
NSIRA replaced two previously established review bodies—the Security and Intelligence Review Committee (SIRC), which dated back to 1984 and was designed to review CSIS activities only; and the CSE Commissioner, a function established in 1996 and responsible for reviewing CSE only. NSIRA folds both review functions into its mandate. But its legislation goes further, giving it authority to review the activities of any element of Canada’s intelligence community, a much more ambitious remit.
NSIRA recently released an annual report on its activities for 2022. This will be the third in a series of substantive annual reports (the one for 2019 was, of necessity, very preliminary). Unlike NSICOP, NSIRA has chosen to continue to publish a sizeable report, rather than merely produce a short overview. For 2022, the NSIRA report (with annexes) is a full 83 pages.
https://nsira-ossnr.gc.ca/wp-content/uploads/NSIRA-Annual-Report-2022-EN.pdf
Three years in, the question posed by a reading of the NSIRA annual report for 2022 is this—Is review working? Keep in mind that NSIRA produces recommendations only, to which departments and agencies can (and sometimes do) respond in the annual reports.
Whether review is working depends on the nature of NSIRA’s recommendations, on responses to those recommendations, and on a third aspect that cannot be captured in any single annual report—on follow-up to assess how deeply change has run in response to review reports. This third element can be a missing piece in the review process. Review bodies know it and, I think it is fair to say, it nags at them; but the question is always one of resources, to wit, how much attention to pay to old problems versus new ones.
Another problem sometimes suggested in discussion of the review system is its retrospective nature—because it is looking back and documenting past problems somehow it may miss abuses in current practices. This one, we can set aside. Intelligence isn’t a herky-jerky. It builds practices and fashions policies over years of endeavour, even as threats and targets may change. Past, present and future blend in intelligence work. Retrospection is not a serious disability, but an essential feature. The past truly is prologue.
The essence of the NSIRA function is to challenge. To use its reviews and their recommendations to press security agencies to improve their practices. It’s a valuable, but difficult function. Valuable because it involves independent, external scrutiny and pressure through public reporting. Difficult for all kinds of reasons, including questions of where to focus and how to gain the trust and respect of departments and agencies under review, so that they will respond in meaningful ways. Exercising the challenge function also has to speak to the Canadian public, which carries its own narrative challenges and difficulties in finding ways to speak plainly about complex matters shrouded in secrecy.
NSIRA has come to a conclusion, on the basis of its work since 2019, that its challenge function—for any element of the Canadian intelligence system-- needs to be focused on three key areas. They are: governance; propriety; and information management and sharing. Governance is about internal organization; propriety is about compliance with legal authorities and Ministerial direction; information management and sharing is about ensuring systems are in place to allow for the best exploitation of intelligence. These areas of focus do not necessarily distinguish the work of NSIRA from that of its Parliamentary counterpart—NSICOP. Both share a desire to study governance in particular, thus keeping open the possibility of some duplication of effort. The focus on propriety is where NSIRA carves out a unique niche. But the governance theme dominates and provides the greatest opportunities for challenge.
Let’s see how this works as NSIRA tackled CSIS issues in 2022. NSIRA undertook an annual study of CSIS, partly to inform its report to the Minister. If challenge issues came up, we don’t learn of them, as the findings of the annual review are not discussed in the report. In addition, NSIRA undertook a dedicated study of CSIS threat reduction powers (TRM), first granted to it in legislation in 2015. It found CSIS legally compliant in its use of these powers--the propriety theme satisfied. But NSIRA urged faster reporting on the use of TRM and was concerned about one specific TRM, which involved something called “sensitive factors,” which NSIRA clearly believes were not assessed properly. But as readers are in the dark about any details, this remains a dialogue between NSIRA and CSIS. While NSIRA advances recommendations about CSIS’s conduct of TRM, there is no published CSIS response (which contrasts with CSE, as we will see below).
What we see is a challenge function at work, but one that public readers cannot gauge because of secrecy provisions.
The remainder of the annual report’s discussion of CSIS is taken up by statistics regarding warrant applications, threat reduction measures, CSIS targets, data set collection, the “justification framework” (whereby designated CSIS personnel and sources are authorized to engage in activities that would otherwise constitute legal offenses), and operational “non-compliance” (activities that are not authorized and may involve, for example, privacy breaches).
NSIRA frames this delivery of statistics as being in the public interest, but while statistics don’t lie, neither do they tell us much without interpretation, and readers are simply left guessing about the significance of any of the numbers. NSIRA needs to re-think its approach here. Provide the numbers but give us your sense of their meaning.
When we turn to NSIRA reporting on CSE, the picture shifts somewhat. The NSIRA challenge function meets, on some issues, with a more prickly response. This is especially so for a topic in NSIRA’s sights, which involves the new powers granted to CSE in an Act passed in 2019 to conduct what are called active and defensive cyber operations. NSIRA doesn’t explain what these are, but readers unfamiliar with the terms can get a quick explanation on the CSE website:
https://www.cse-cst.gc.ca/en/mission/cyber-operations
Both powers are essentially pre-emptive in nature, allowing CSE to engage online to disrupt foreign based threats (active cyber operations, or ACO) and to defend Government of Canada cyber networks or those of designated critical systems operating in the private sector (defensive cyber operations, or DCO).
Because of their newness and pre-emptive nature, NSIRA is interested in exploring their governance and propriety. CSE, for its part, is interested in preserving new and sensitive operations often involving allied agencies. And there the clash lies.
While NSIRA makes recommendations to improve the use of ACO and DCO powers it opens up a bit of the conflict with CSE right at the outset:
“NSIRA faced significant challenges in accessing CSE information on this review. These access challenges had a negative impact on the review. As a result NSIRA could not be confident in the completeness of information provided by CSE.”
With regard to several requests by NSIRA for data, CSE refused on grounds of national security sensitivity. These included requests for data or statistics on the extent to which intelligence on Canadian persons is included in CSE end-product reporting; on the extent to which Canadian identifying information is supressed in foreign intelligence or cyber security reporting ( a different kick at the same can) and, perhaps most significantly, the number of active and defensive cyber operations approved by the Minister and carried out.
While NSIRA is putting a challenge function to the test around access and publication of CSE information, it seems likely that CSE will be unyielding on some issues. Yet the ability of NSIRA and CSE to find some common ground is identified in the extensive responses provided by CSE to NSIRA recommendations (these are contained in Annex C).
As NSIRA pressed on the governance of active and defensive cyber operations, suggesting a revised process for Ministerial authorizations on an operational case-by-case basis, CSE pushed back, providing one of the clearest descriptions of the shape of requests for Ministerial authorizations available to us. The scope of Ministerial authorizations for CSE activities, which remain highly secret, has been a source of concern for many years. Here is the CSE defence of the current practice:
“They [the Ministerial Authorizations] are not ‘generic,’ but their scope is broad enough to give CSE the flexibility to act against a wide range of targets, where the identity of the threat actor
or the location and context is unknown at the time of application.”
This battle is likely to continue. The next move may be NSIRA’s, to explain any concern they have on grounds of governance or propriety around the flexibility that CSE claims it needs.
CSE’s willingness to engage with NSIRA is clear, even if access issues remain a sore point for the review body. Other departments and agencies subject to NSIRA review have not always provided responses to recommendations that are included in the annual report. This includes CSIS.
To date, NSIRA has been relying on the voluntary provision of public responses to its recommendations by agencies and departments under review. This may be an area for legislative action, whenever the government gets around to the mandatory review of the NSIRA Act (they are already late on that).
There is more to the NSIRA Annual Report, beyond the sections dealing with CSIS and CSE. It used its broader mandate in 2022 to study DND/CAF human source issues and air passenger targeting by CBSA. It looked at the uses of the Security of Canada Information Disclosure Act, a complicated system for ensuring the proper sharing of intelligence among federal departments and agencies. In that study NSIRA singled out GAC for governance weaknesses and highlighted the need to improve training of its officials. With regard to implementation of the “Avoiding Complicity in Mistreatment by Foreign Entities Act,” NSIRA singled out CBSA, Public Safety and the RCMP for gaps in policies.
The challenge function is clearly at work across the wide spectrum of NSIRA review. But the sharp end will always be reviews of CSIS and CSE. The NSIRA 2022 annual report suggests a greater level of contestation between NSIRA and CSE, than between NSIRA and CSIS. Where the trend lines will go in future as NSIRA matures, remains to be seen.
The conclusion to date has to be that NSIRA review is working; working at least in terms of the direct relationship between NSIRA and its review subjects, especially CSIS and CSE. More broadly NSIRA is being heard across the government national security and intelligence system.
But for the challenge function of review to be fully effective NSIRA will have to demonstrate two things.
One is an ability to follow progress on the implementation of its recommendations over an extended period and report out.
The other requirement may be more challenging still. NSIRA has not yet found a way to address a public audience and explain plainly what is at stake in its reviews and recommendations. So far, it is playing mostly inside baseball. It is understandable that that game is where NSIRA needed to start. It is not supportable over the long term.
The appointed members of NSIRA, including its current chair, former Supreme Court Justice Marie Deschamps, are no doubt sincere when they say in a prologue to the annual report that:
“We bring confidence to the Canadian public with each review and investigation we conduct.”
In riposte, the Canadian public (or at least me) might say—“not yet.” Step back and provide more explanation of the issues, please.
Sir, this is a difficult topic for me; in truth, I expect that it is a difficult topic for most of us. Thankfully, except you, of course.
The whole security "issue" [I use quotation marks simply because I cannot determine a correct noun to use] is, by it's very nature, terrifically opaque, of course, and (I suppose) correctly so. The problem is that little idea of accountability. If something is opaque then it follows that most folks don't give it much thought.
I neither have a background in the security area nor do I have a background or abiding interest in related topics; I am therefore unable to comment even marginally intelligently on your material. All of this is by way of praising you (and you thought I was going somewhere else!) for your (well, somewhat) clear exposition of the governance and "control" of Canada's security apparatus.
All I can say is, "Wow!" I can further say that it is a good thing that there are twenty-six letters in the alphabet to allow the salad that is all the acronyms that one sees.
In any event, Sir, thank you for your work as it is as close as I will get to understanding things in this area.
They could start by trying to get Canadians to develop a better intelligence culture. I don't think 90% of Canadians care about the issues that NSIRA brings up with CSE and CSIS unless it involves a Canadian's death. This is the failure of having a really small intelligence culture.