Global Courant 2023-04-29 04:50:44
One of Canada’s intelligence watchdogs has berated the country’s cybersecurity agency for its approach to international law.
The National Security and Intelligence Review Agency reviewed the activities of the Communications Security Establishment in 2019, the first year after it was given new powers. Although the review was completed in 2020, the report was only made public this week.
The CSE insists it has never violated international law and calls the case a “philosophical” disagreement with its oversight body.
“CSE, because we are the ones engaged in foreign cyber operations, did not violate international law. We did not even come close to violating international law,” said Nabih Eldebs, CSE deputy chief of authorities, compliance and transparency, to CBC News.
“This wasn’t in our ethos, this wasn’t in our thinking.”
CSE has been authorized to carry out attacks
CSE is authorized to collect foreign signals intelligence and defend the national security of Canada, including the servers and networks of the Government of Canada. It is also playing an increasing role in protecting Canada’s critical infrastructure, such as banking, telecommunications and the energy industry.
To do all that, in 2018 the agency was given the option — with the minister’s approval — to launch “active cyber operations” to disrupt threats from terrorist groups, hostile intelligence agencies and state-sponsored hackers.
As an example of what this power allows, CSE says it can prevent a foreign terrorist group from communicating or planning attacks by disabling their communications equipment.
The Communications Security Establishment Canada complex in Ottawa on Oct. 15, 2013. The cybersecurity agency insists it has never violated international law, calling the case a “philosophical” disagreement with its oversight body. (Sean Kilpatrick/Canadian Press)
In its report, NSIRA wrote that when it asked CSE for an explanation of its legal obligations in launching such operations, the agency’s response was lacking.
“CSE has not adequately investigated its obligations under international law,” the intelligence agency said in its heavily redacted report.
Eldebs said the federal government was still developing its official stance on cyberspace and international law, while CSE began launching these operations.
“These were our new forays into foreign cyber operations,” he said.
“I think in my opinion it was a philosophical disagreement about the approach to international law between the two organizations, not the importance of international law.”
The Government of Canada released a public statement in 2021 on international law applicable to cyberspace. Eldebs said the CSE is now using that statement as a guideline.
If that public statement had been available sooner, Eldebs said, it could have prevented the CSE-NSIRA discord.
“I would think so,” he said.
Risk of Retaliation
While CSE will not share details of the active operations it has conducted in other countries, the disagreement between the two agencies draws attention to how Canada behaves in the cyber world.
“International law applies to what we do in cyberspace, just as it applies to anything we would do if we were sending troops to participate in an offensive operation,” said Leah West, a professor of national security law at Carleton University.
“International law governs how states can engage with other states. And there will be questions about whether the actions of CSE or Canada violate the sovereignty of other states or violate the principle of non-intervention.”
The stakes are high, she added, given the possibility of retaliation.
“Once you violate international law, states may have the right to respond to your violations,” West said.
The NSIRA report also looked at CSE’s other activities, including the measures taken to protect Canadian infrastructure.
While the details of the case have been almost completely redacted, the report says that in 2019 CSE “observed strong evidence that a foreign state-sponsored actor had significantly compromised a Canadian company.”
The company’s name was redacted, but the report said the infrastructure “is considered a system of interest to the Government of Canada.”
NSIRA’s concerns about CSE’s approach to international law prompted follow-up investigations into the agency’s activities.
Those reports have yet to be made public. Eldebs said they “found nothing regarding compliance.”
