The Canadian government is proposing new legislation that, for the first time, would explicitly define how and when the country's digital spies can hack into computer networks and infrastructure around the world.
If accepted, the Communications Security Establishment Act would expand the spy agency's mandate to include two types of "foreign cyber operations" — attack and defence — and introduce new authorizations that would codify many of the operations the agency already conducts.
"Previously we knew a lot of this stuff was going on, in part because of the [Edward] Snowden revelations — both directed at what we knew CSE itself was doing, but also as it pertains to our partner agencies," said Christopher Parsons, a researcher at the University of Toronto's Citizen Lab, who focuses some of his efforts on understanding CSE's operations. "So this formalizes a lot of what we already knew, which I take to be a reasonably positive thing."
At present, CSE has three mandates — collect foreign intelligence, provide assistance to other law enforcement and security agencies and protect the government of Canada from digital attacks — under which CSE had the ability to conduct certain types of hacking operations.
For example, outlets including CBC News have previously reported on CSE efforts to disrupt and manipulate computers, spy on networks in Mexico and Brazil and plant malware on mobile phones. Others have also reported on CSE's efforts to monitor the very core, or backbone, for internet communications infrastructure around the world.
Now, the government is proposing CSE's mandate be expanded, with two additional mandates intended to more explicitly cover both defensive and active foreign hacking operations. Under those new authorities, CSE spies cannot direct either operation at infrastructure located in Canada, and must receive both ministerial approval and a sign-off from the foreign minister too.
"It means going out in the world, attacking devices, attacking servers, capturing data, with the knowledge or lack thereof [of] the persons whom we're targeting," Parsons said. "It potentially means the modification of data itself."
In a briefing with reporters, Minister of Defence Harjit Sajjan said the new authorities would allow Canada to "align ourselves with our other Five Eyes partners" — the U.S., U.K., Australia, and New Zealand — and help Canada retain its "technological advantage" when dealing with threats.
Much of the new act deals with how spies can interact with so-called "information infrastructure" both at home and abroad — the servers, routers and cables that send information back and forth through the public internet and private networks.
An authorization would be required when undertaking activities such as "installing, maintaining, copying, distributing, searching, modifying, disrupting, deleting or intercepting anything on or through the global information infrastructure," for example.
The CSE Act defines five types of these authorizations, which can be granted with approval from the defence minister — and the foreign minister, in the case of foreign cyber operations — and are valid for up to a year (but can be renewed):
- Foreign intelligence authorization. Required when accessing foreign infrastructure for covert intelligence gathering purposes.
- Cybersecurity authorization (federal infrastructure). Required when accessing infrastructure that belongs to the government in order to protect the government or Canadians from harm.
- Cybersecurity authorization (non-federal infrastructures). Required when accessing infrastructure that is not owned or operated by the government, but is still "of importance," for similar protective purposes.
- Foreign defensive cyber operation authorization. Required when accessing foreign infrastructure for the purpose of defending Canada or its allies from a digital attack — for example, to shut down a foreign server attempting to copy data from government computers.
- Foreign active cyber operation authorization. Required when accessing foreign infrastructure for the purpose of proactively disrupting a potential threat to Canada or its allies — for example, CSE says, "to interfere with the ability of terrorist groups to recruit Canadians or plan attacks against Canada and its allies."
For example, an authorization for an "active cyber operation" could allow CSE to "to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities" of targets as they interact with computer networks and servers located around the globe.
"This absolutely spells clear that those sorts of operations could be undertaken," said Parsons. "It's been obvious for some time. But this gives them even more evident legislative footing."