Intelligence watchdog questions cyber agency's approach to international law, CSE insists it was above board
One of Canada's intelligence watchdogs has scolded the country's cyber security agency over its approach to international law.
The National Security and Intelligence Review Agency reviewed the Communications Security Establishment's activities in 2019, the first year after it received new powers. While the review was completed in 2020, its report was made public only this week.
The CSE insists it never violated international law and is calling the matter a "philosophical" disagreement with its oversight body.
"CSE, because we are the ones who deal with foreign cyber operations, did not violate international law. We did not even come close to violating international law," Nabih Eldebs, CSE deputy chief of authorities, compliance and transparency, told CBC News.
"This was not in our ethos, this was not in our thinking."
CSE cleared to launch attacks
CSE is empowered to gather foreign signals intelligence and defend Canada's national security, including government of Canada servers and networks. It also has a growing role in protecting Canada's critical infrastructure, such as banks, telecommunications and the energy industry.
To do all that, the agency was granted the ability in 2018 — with ministerial consent — to launch "active cyber operations" to disrupt threats from terrorist groups, hostile intelligence agencies and state-sponsored hackers.
As an example of what this power allows it to do, CSE says it can prevent a foreign terrorist group from communicating or planning attacks by disabling their communication devices.
In its report, NSIRA wrote that when it asked CSE to explain its legal obligations when launching such operations, the agency's response was lacking.
"CSE has not sufficiently examined its obligations under international law," said the intelligence review body in its heavily redacted report.
Eldebs said the federal government was still developing its official stance on cyberspace and international law as CSE was beginning to launch these operations.
"These were our new foray into foreign cyber operations," he said.
"I think, in my belief, it was a philosophical disagreement on the approach to international law between both organizations, not the importance of international law."
The government of Canada released a public statement on international law applicable to cyber space in 2021. Eldebs said the CSE now uses that statement as a guiding principle.
Had that public statement been available earlier, Eldebs said, it might have avoided the disagreement between CSE and NSIRA.
"I would think so," he said.
Risk of retaliation
While CSE won't share details of the active operations it has run in other countries, the disagreement between the two bodies calls attention to how Canada behaves in the cyber world.
"International law applies to what we do in cyberspace, just like it applies to anything we would do if we were sending troops over to engage in an offensive operation," said Leah West, a professor of national security law at Carleton University.
"International law governs how states can engage in other states. And there'll be questions about whether or not CSE's actions or Canada's actions violate the other states' sovereignty, violate the principle of non-intervention."
The stakes are high, she added, given the opportunity for retaliation.
"Once you violate international law, states potentially have a right to respond to your violations," said West.
The NSIRA report also looked at CSE's other activities, including actions it took to protect Canadian infrastructure.
While case details are almost entirely redacted, the report does say that in 2019, CSE "observed strong evidence that a foreign-state sponsored actor had significantly compromised a Canadian company."
The company's name was redacted but the report said its infrastructure "is considered a system of importance to the government of Canada."
NSIRA's concerns about CSE's approach to international law prompted it to launch followup reviews of the agency's operations.
Those reports have yet to be made public. Eldebs said they "didn't find anything in relation to compliance."