Intelligence watchdog questions cyber agency's approach to international law, CSE insists it was above board

One of Canada's intelligence watchdogs has scolded the country's cyber security agency over its approach to international law.

CSE spokesperson calls it a 'philosophical' disagreement with oversight body

An IBM employee participates in a training exercise in IBM's X-Force Command C-TOC, a mobile Cyber Tactical Operations Center, in the Brooklyn borough of New York, U.S.
CSE has been granted the ability— with ministerial consent —  to launch active cyber operations to disrupt threats from terrorist groups, hostile intelligence agencies and state-sponsored hackers. (Brendan McDermid/Reuters)

One of Canada's intelligence watchdogs has scolded the country's cyber security agency over its approach to international law.

The National Security and Intelligence Review Agency reviewed the Communications Security Establishment's activities in 2019, the first year after it received new powers. While the review was completed in 2020, its report was made public only this week.

The CSE insists it never violated international law and is calling the matter a "philosophical" disagreement with its oversight body.

"CSE, because we are the ones who deal with foreign cyber operations, did not violate international law. We did not even come close to violating international law," Nabih Eldebs, CSE deputy chief of authorities, compliance and transparency, told CBC News.

"This was not in our ethos, this was not in our thinking."

CSE cleared to launch attacks

CSE is empowered to gather foreign signals intelligence and defend Canada's national security, including government of Canada servers and networks. It also has a growing role in protecting Canada's critical infrastructure, such as banks, telecommunications and the energy industry.

To do all that, the agency was granted the ability in 2018 — with ministerial consent — to launch "active cyber operations" to disrupt threats from terrorist groups, hostile intelligence agencies and state-sponsored hackers.

As an example of what this power allows it to do, CSE says it can prevent a foreign terrorist group from communicating or planning attacks by disabling their communication devices.

The new Communications Security Establishment Canada (CSEC) complex is pictured in Ottawa on October 15, 2013. The federal cybersecurity centre says foreign countries are very likely to try to advance their agendas in 2019 -- a general election year -- by manipulating Canadian opinion through malicious online activity. In a report today, the Canadian Centre for Cyber Security warns that state-sponsored players can conduct sophisticated influence operations by posing as legitimate users.
The Communications Security Establishment Canada complex in Ottawa on October 15, 2013. The cyber security agency insists it never violated international law and calls the matter a "philosophical" disagreement with its oversight body. (Sean Kilpatrick/Canadian Press)

In its report, NSIRA wrote that when it asked CSE to explain its legal obligations when launching such operations, the agency's response was lacking.

"CSE has not sufficiently examined its obligations under international law," said the intelligence review body in its heavily redacted report.

Eldebs said the federal government was still developing its official stance on cyberspace and international law as CSE was beginning to launch these operations.

"These were our new foray into foreign cyber operations," he said.

"I think, in my belief, it was a philosophical disagreement on the approach to international law between both organizations, not the importance of international law."

The government of Canada released a public statement on international law applicable to cyber space in 2021. Eldebs said the CSE now uses that statement as a guiding principle.

Had that public statement been available earlier, Eldebs said, it might have avoided the disagreement between CSE and NSIRA.

"I would think so," he said.

Risk of retaliation 

While CSE won't share details of the active operations it has run in other countries, the disagreement between the two bodies calls attention to how Canada behaves in the cyber world. 

"International law applies to what we do in cyberspace, just like it applies to anything we would do if we were sending troops over to engage in an offensive operation," said Leah West, a professor of national security law at Carleton University.

"International law governs how states can engage in other states. And there'll be questions about whether or not CSE's actions or Canada's actions violate the other states' sovereignty, violate the principle of non-intervention." 

The stakes are high, she added, given the opportunity for retaliation.

"Once you violate international law, states potentially have a right to respond to your violations," said West.

The NSIRA report also looked at CSE's other activities, including actions it took to protect Canadian infrastructure.

While case details are almost entirely redacted, the report does say that in 2019, CSE "observed strong evidence that a foreign-state sponsored actor had significantly compromised a Canadian company."

The company's name was redacted but the report said its infrastructure "is considered a system of importance to the government of Canada." 

NSIRA's concerns about CSE's approach to international law prompted it to launch followup reviews of the agency's operations.

Those reports have yet to be made public. Eldebs said they "didn't find anything in relation to compliance."


Catharine Tunney is a reporter with CBC's Parliament Hill bureau, where she covers national security and the RCMP. She worked previously for CBC in Nova Scotia. You can reach her at catharine.tunney@cbc.ca

Add some “good” to your morning and evening.

A variety of newsletters you'll love, delivered straight to you.

Sign up now