Mr. Chair, honourable members, I am pleased to appear before this committee again, this time on the subject of Bill . I am accompanied by William Galbraith, the executive director of my office, and by Gérard Normand, special legal advisor.
I have been the Communications Security Establishment (CSE) Commissioner for over four years. I am responsible for reviewing the activities of CSE, primarily to determine whether they complied with the law. This naturally includes everything to do with protecting the privacy of Canadians and persons in Canada. I am a retired judge of the Superior Court of Québec and of the Court Martial Appeal Court of Canada. As I like to often say when I appear before you:
I'm a young 75.
The phrase retired judge means that you cannot expect someone 40 or 50 years old. In order to retire, we have to be at least 69 or 70. That explains my somewhat advanced years.
The law requires the CSE Commissioner to be a supernumerary judge, meaning a judge who is on the bench part-time, or a retired judge of a superior court. My current term expires in mid-October this year, in 2018.
However, once Bill receives royal assent and part 2 enters into force, my role will change into a completely—and I emphasize completely—new function for intelligence accountability in Canada.
Indeed, the CSE commissioner will no longer perform after-the-fact review of CSE activities. The intelligence commissioner, or the IC if you prefer, will have a quasi-judicial role, of which the first part is reviewing and the second is approving authorizations issued by ministers for certain activities of CSE and CSIS before those activities can be conducted.
This specific role will be to determine whether the minister's conclusion to authorize the activity was reasonable. The test I have to apply is reasonability. In essence, this is similar to the function performed by a court of law when undertaking what we call “a judicial review”. This is, in my view, a critical role, intended to provide a quasi-judicial review of an intelligence agency's activities that may have charter and/or privacy implications.
Part 2 of Bill , the Intelligence Commissioner Act, expressly provides for the transition of the CSE Commissioner into the new role of Intelligence Commissioner. The functions of post-facto review of CSE activities that I now perform will be assumed by the new National Security and Intelligence Review Agency, also proposed in Bill .
This bill also requires the intelligence commissioner to be a retired judge of a superior court, which is appropriate, in my view, given the quasi-judicial function of this new position. However, this bill does not include the possibility of appointing a supernumerary judge, as is the case now with the National Defence Act for the CSE commissioner. I believe this bill should retain the possibility of a supernumerary judge, in part to ensure a broader pool of potential candidates. I was a supernumerary judge when appointed CSE commissioner four years ago, and a short time afterward, I fully retired as a judge.
The problem is the following. The pool of candidates for this job, the new intelligence commissioner, is very narrow. You must find a retired judge who has the proper background to be appointed—for example, a background in security matters or in national defence matters. The pool is very narrow. That's why I'm suggesting that we should keep in the bill what we have in the National Defence Act with regard to the appointment of the intelligence commissioner. In other words, a supernumerary judge should be appointed as the IC and then would retire maybe a few months later. It would be a transitory measure. I can see that if a sitting judge remained the intelligence commissioner for years, he might have some problems with conflicts of interest and what have you. I think for transition purposes, it might be very useful.
Previously, I submitted to this committee a written copy of substantive proposals for amendments to Bill . Those comments were sent to your chair on December 6, 2017. I am also submitting today lists containing additional substantive and technical proposals that I sent to Minister Goodale and Minister Sajjan. I think you have a copy of those comments before you. I will highlight a number of these in my remarks.
The importance of the process the government has chosen to follow for this bill is, as stated by Minister , to allow new ideas and alternative suggestions to be presented before second reading in the House.
In this context, I will speak to changes I am proposing for three parts of the bill: part 2, the intelligence commissioner act; part 3, the CSE act; and part 4, amendments to the CSIS Act. While I am of the view that the proposed legislation is generally sound and that it addresses most of the recommendations made by me and my predecessors to amend part V.1 of the National Defence Act. I am also of the view, following in-depth analysis and discussions with officials and agencies directly involved, that certain amendments should be proposed. Among my substantive proposals, I will describe seven that I consider the most important.
First, I believe the intelligence commissioner should be involved in approving authorizations for CSE active cyber and defensive cyber operations which may also implicate privacy interests. Some commentators have remarked that this is a new and very broad mandate for CSE and that it is too permissive. By comparison, the CSIS Act requires CSIS to go before a federal court judge, in some instances, to have a warrant issued for similar activities.
Second, as the bill is written currently, the Intelligence Commissioner does not approve the minister's decision to extend the validity of a CSE foreign intelligence or cybersecurity authorization for an additional year. I believe the commissioner should be involved, given that he was involved in approving the initial authorization. Otherwise, in effect, the authorization would be for two years. However, this is not what the bill proposes. It proposes that this type of authorization is valid for a maximum of one year. If the minister granted extensions almost automatically without the commissioner being involved, the duration could end up being two years, instead of the one year provided for in the act.
Third, emergency authorizations for CSE issued by the for purposes of foreign intelligence or cybersecurity should also be reviewed by the commissioner immediately after they have been issued. This would be similar to the approach that exists in the Investigatory Powers Act in the United Kingdom. Under the U.K. legislation, the period of validity for these emergency authorizations is five days, the same validity period as in Bill . However, in the U.K., the Judicial Commissioner must review and approve these authorizations within that time frame.
In the answers you have provided to some of my colleagues, you discussed the mandate of the CSE. Ms. Bossenmaier, the CSE chief, appeared before us, and I asked her specific questions on the proposed subclause 24(1), the first paragraph of which presents exceptions for cases of publicly available information. This concerns us, as do the paragraphs that follow. Ms. Bossenmaier mentioned that the mandate of the CSE essentially affects foreign entities, and not Canadians. I would like to ask you a number of questions about that.
First, is the mandate legal or is it understood as such by the CSE?
Also, these types of exceptions are included in the bill, but we really have yet to hear why. For example, it reads: “The Minister may, by order, designate any…electronic information or information infrastructures as…of importance to the Government of Canada.” All these matters are unclear, and we are not able to justify the scope.
I have touched on several questions, some of them in the form of comments. I would simply like to know your point of view on these subjects.
What is the mandate of the CSE? Is the bill widening its scope without us being able to justify the concrete reasons for doing so and the intended objective?
Thank you, gentlemen.
First, thank you for the very comprehensive document you submitted to the committee. Bill is, indeed, complex to study, and the document you have provided contains very important elements.
I would like to come back to one point, the approval process.
The problem right now is cyber threats. In cyber defence, there is a maximum number of resources that can be in the know and that can counter cyberattacks. We work together on this. However, when we talk about active trading, that is, when Canada conducts cyber operations, I find that there are many levels of intervention, given the secret nature of the information. If you want to carry out an operation, you need to collect information or make computer-based interventions in the systems.
This morning, I attended the meeting of the Standing Committee on National Defence. We have heard from people who work on cyber operations. According to them, in defence, the important thing is to provide protection. In case of attacks, they will especially turn to the CSE.
According to Bill , when we talk about conducting operations, we seek the approval of the Minister of Foreign Affairs. On your side, you also ask for supervision by the Intelligence Commissioner.
Don't you think there are too many people involved in secret operations?
I'm happy to go first. Thank you, Mr. Chair, and thank you to the committee for this invitation.
My prepared remarks are about the CSE and CSIS bulk data collection.
In his testimony to this committee, Professor Craig Forcese made a very important point about the thresholds for authorizations for CSE data collection.
Proposed section 23 of what would be the new CSE act sets out that activities carried out by the CSE in relation to its various mandates must not be directed at Canadians or persons in Canada. This is of course a continuation of the current situation in which the CSE is required not to direct its activities in this fashion.
Nevertheless, it is well established and conceded that the information of Canadians and persons in Canada is collected, because some collection, and by no means insignificant collection, is unavoidable due to the complexity of communication networks. Thus, Canadians' information is collected incidentally or unavoidably.
Part of the new regime proposed for the protection of Canadians' privacy interests is to require that the CSE seek a ministerial authorization that is then approved by the intelligence commissioner. The trigger that initiates this process of authorization and intelligence commissioner vetting would occur when the CSE's activities would otherwise contravene an act of Parliament.
We agree with Professor Forcese that this trigger is under-inclusive, a view that is now echoed by Citizen Lab, the Canadian Internet Policy & Public Interest Clinic, and others.
As Professor Forcese notes, there is concern that the proposed threshold would not ensure that the authorization process would, for example, be initiated for activities that incidentally collect Canadians' metadata, which is obviously of critical importance.
Craig Forcese proposes a more expansive trigger, in which the authorization process is required for activities that would otherwise contravene any other act of Parliament or “involve the acquisition of information in which a Canadian or person in Canada has a reasonable expectation of privacy”, a threshold that has already been referenced.
Our problem with this proposed addition is simply this: that the question of what precisely attracts “a reasonable expectation of privacy” is typically the central dispute in almost any emergent privacy issue, and this threshold would be adjudicated internally by the CSE.
We know, not least from years of reports from the CSE commissioner, that disputes over the interpretation of legal standards and definitions have been of ongoing concern, and national security activities in general are plagued with the “secret laws” problem of having words in a statute or directive interpreted in sometimes obscure or deeply troubling ways, and ways that may not be unearthed for years. Therefore, a trigger that involves a colourable definition is inherently problematic, in our view.
However, we read the latest CSE commissioner's report as indicating that the CSE has conducted its signals intelligence activities under just three ministerial authorizations since 2015. It appears that these authorizations tend to authorize a broad sphere of activities. Our understanding that the frequency and scope of “incidental collection” suggests that most, or even all, of the authorizations are apt to at least implicate Canadians' data. In other words, there are only a small number of authorizations, and almost all are apt to require the authorization regime of vetting by the intelligence commissioner.
Surely, then, it is best and still entirely feasible and efficient—to ensure that this authorization process does indeed examine everything that we are hoping it will—to simply have one uniform process of authorization approval by the intelligence commissioner for all classes of activities undertaken outside of the technical and operational assistance mandate, which is, as you know, its own sphere of activities.
For everything else, we recommend that the question of threshold be resolved by eliminating the need for a threshold and ensuring that every class of activities authorized be subject to the new accountability procedure of ministerial authorization and vetting by the intelligence commissioner.
I will turn now to bulk data collection by CSIS. It was most certainly our concern coming out of the national security consultation that the government response to the CSIS bulk data scandals, if you will, would be to simply empower the agency to do what it had previously been doing unlawfully without having a meaningful democratic debate about mass data acquisition in the context of national security. We certainly appreciate that having bulk data collection squarely on a legislative footing does improve transparency, but we are deeply concerned with the low threshold that is proposed in Bill and that this critically important matter is, quite frankly, receiving insufficient attention in the context of a large omnibus bill.
It was only recently that SIRC did its first-ever audit of the bulk data collection programs of CSIS. SIRC is of the view that appropriate bulk data collection by CSIS can occur under CSIS's current section 12 standard of strict necessity for data collection. In our view, it is hard to imagine a body that would be better positioned to assess this, both from the perspective of accountability and respect for the rule of the law and from the perspective of the operational needs of CSIS.
SIRC's proposal for the standards and criteria for bulk data collection is a three-part test: that there be a clear connection to a threat to the security of Canada, that no less intrusive means are available, and that there be an objective assessment of intelligence value.
Now, compare that standard with the standard set out in Bill . Bill C-59 allows CSIS to collect publicly available datasets, with no definition of that term, on the basis of a bare relevance standard. With respect to Canadian datasets—which, we need to remember, are expressly defined as datasets that contain personal information expressly acknowledged as not directly and immediately relating to activities threatening the security of Canada—the test for their acquisition is simply that the results of their querying or exploitation could be relevant and that this assessment must be reasonable.
It may be argued that this vast scope for bulk data collection is at least mitigated by the requirement for judicial authorization for the retention of those datasets, but rather than providing significant gatekeeping, this authorization simply compounds the effects of the very low standards that lead up to it. Personal information that does not directly and immediately relate to threats to the security of Canada is allowed to be collected if it “could be relevant”, if this assessment is “reasonable”, and if the judge then decides that the dataset can be retained on the standard of “is likely to assist”.
These, then, are the thresholds of what most Canadians would call mass surveillance, and we believe most Canadians would reject these thresholds as shockingly low standards. Thus, a genuine opportunity to meaningfully shape these surveillance practices is being squandered in Bill .
The proposed standard represents a mass erosion of the privacy protections from the strict necessity standards that currently apply. We recommend that the CSIS bulk data provisions be revised to be expressly within the strict necessity standard, and not in exception to it, and that the criteria for bulk data collection, such as that fashioned by SIRC as implicitly principled and workable, be set out within the legislation.
Those are our prepared remarks. Thank you.
Thank you very much, Mr. Chairman, and thanks for this opportunity to speak to everybody today.
As you know, I am the provincial security advisor for Ontario. I began this role in January of 2017. Prior to that, I spent almost five years as a consultant to private and public organizations in the area of national security-related risks, including cyber-threats. Prior to that, I was with the Canadian Security Intelligence Service, CSIS, and left that organization in 2012 as the assistant director.
As a result of joining CSIS at its inception in 1984, I've witnessed a tremendous number of milestones that shaped Canada's security intelligence environment, more specifically in regard to the organizations that are central to Canada's threat response.
At this moment, we find ourselves yet again at the cusp of change, and obviously important change. Although the CSIS Act has been widely viewed as a model of effective security intelligence legislation, it has required renovation from time to time, perhaps not so much due to any particular failings but rather to the necessity of changing times socially, culturally, politically, and, now more than ever, technically.
Of all the elements of import in Bill , it is time to consider essential changes for an organization that I did not work for but to which I maintained important operational connectivity over many years. It is time for CSE to have its own enabling legislation, as its current mandate is 16 years old.
Most critical to that transformation of mission and mandate is the area related to cyber-threats. Canada must now join the community of like-minded nations determined to resist the growing threat of globalized criminal enterprise, nation-state-directed theft of intellectual property or interference in our society, and the potential for catastrophic destruction of critical infrastructure, be it the result of fifth-dimensional warfare or terror attack. We must support and connect and keep pace with our allies, from Australia to the EU. They themselves have recognized the nature of this new 21st century threat environment.
The nations that do not support or believe in these values certainly have discovered the benefits of hybrid or fifth-domain warfare. They are extremely active in targeting our key infrastructure and our future prosperity through the theft of the best and most important intellectual property the country has to offer. They've also noted the ease and the immediate benefits of undermining our democratic processes by undermining people's trust in institutions, as well as our ability to conduct respectful and constructive dialogue.
There are a number of areas to explore in this discussion today, but first let me say that I've also been a long-serving and vocal advocate of increased accountability for the security intelligence community. The establishment of the National Security and Intelligence Committee of Parliamentarians and the National Security and Intelligence Review Agency will now meet the majority of my concerns on the need to enhance accountability and transparency across the security establishment.
However, as part of my opening proposition, let me now address more directly aspects of the threat and our need to effectively respond to that reality.
We live in unprecedented times. Never in my career, which has spanned a little over three decades, have I perceived such a set of local and global challenges, from climate change and food security to irregular migration and unprecedented numbers of refugees, as well as social and political upheaval, nuclear threats, and shifting global hegemony. Threat actors from around the globe now target Canada with ease. Conversely, Canadians with the intent to harm others or target Canadian interests abroad can now operate from far-flung regions of the world, not just from typical conflict zones.
In this security intelligence equivalency of globalization, it is critically important that CSE continue to support CSIS, the Department of National Defence, and law enforcement agencies in the pursuit of lawful investigations or mission requirements wherever threats may emerge around the world. Whether that means assisting CSIS to collect intelligence on an emerging violent extremist network targeting Canadian travellers or diplomats abroad, assisting the Canadian Forces in the protection of a deployed unit delivering training, or perhaps even helping the RCMP bring human traffickers to justice, we need to provide the best available toolsets. The tools or capabilities I'm suggesting here are ones that only our signals intelligence organizations can provide.
Equally important, and I believe critical, is that we rely on Canadian-controlled and accountable capabilities rather than on the efforts or competencies of other nations that may not share our full set of standards and intentions.
With respect to part 3 of the bill, specifically dealing with cybersecurity and information assurance, let me say that as the provincial security advisor for Ontario, I am concerned most about this area, the cyber-threat targeting our vast investments in critical infrastructure.
Outside of the protection of intellectual property from either front-door or backdoor acquisition, what is key to our current and future prosperity is the protection of life-sustaining critical infrastructure assets, be they publicly owned or in private hands. Therefore, the enhanced ability for CSE to provide assistance towards protecting our critical infrastructure is vital for Ontarians and, I dare say, for all Canadians.
I believe this to be true because we now exist in a hazardous environment where 400-plus new malware threats are produced every minute and where ransomware attacks a person somewhere in the world every 10 seconds. As localized proof, the Government of Ontario’s cybersecurity operations team manages approximately 40 billion security events per month. Yes, that's billions per month. Although we are within industry norms, over 90% of the emails the Ontario public service receives are blocked due to botnet or spam threats.
With respect to defensive cyber operations, I believe that only CSE can bring to bear the technology, know-how, and library of threat-related data necessary to build effective cybersecurity resilience so necessary in this kind of environment. From conversations I've had with private industry and with large independent agencies of government, such as those involved in energy, health care, education, and transportation, I know that all feel the effects of constant cyber-threats. In essence, we and they can no longer do this alone. It is a global threat phenomenon requiring a national-level strategy and capability.
With regard to active cyber operations, let me simply say that the best defence always begins with a good offence. When more than five dozen countries around the world are reported to be actively developing cyber-operational capabilities, in my view, we must develop offensive cybersecurity measures to respond, and on certain occasions that means beyond our borders.
Offensive cyber-tactics have been developed and are being applied by the best private security firms in the world. Engaging the so-called dark web or darknet to gather intelligence in advance of an attack and to protect systems, such as those in the financial sector, has been the norm for some time. I know that because I've worked directly in that sector. When the time comes to face a targeted attack intended to manipulate the operating systems of an energy facility to cause a malfunction or perhaps even to destroy something, as we’ve seen in cases from Ukraine to Germany and even New York State, we will need CSE to “degrade, disrupt, influence, respond to or interfere with the capabilities [or] intentions” of those threat actions or their actors.
More commonly, and as another example, the frequency and prowess of so-called denial of service attacks or DDoS events are intensifying. One day soon, I predict, CSE will be required to assist a Canadian service provider or a subnational level of government to repel a massive DDoS attack.
With the advent of the Internet of things, we’ve already seen or witnessed botnets created out of smart devices being harnessed to launch attacks of one terabyte per second against institutions typically associated with information sharing, anti-spamming facilities, social networks, human rights workers, and mainstream media. Rest assured that this will only get worse, especially when we are facing autocratic regimes around the world that have no inhibitions.
On the issue of changing times, my current role as provincial security advisor is an important example of how the world has changed and how Canada’s view of itself and how it operates must also change. Ontario is but one of 14 core jurisdictions in this country. By itself, Ontario’s economy would rank 18th in a G20 context. No doubt, like Ontario, all subnational jurisdictions are conscious of the multitude of threats that continue to adversely affect prosperity and security.
To my mind, an effectively legislated security establishment that balances security requirements with accountability, transparency, and respect for the rights of Canadians is indeed the blueprint for our future success as a nation in this increasingly tumultuous world.
With your permission, I will make a few comments in English, since I mostly work in English currently.
There's no doubt about the threat capabilities of Russia. They have been demonstrated through the interference in democratic processes through western Europe and in the United States and increasingly in a number of specific states in the U.S. Russia's malicious intent in supporting autocratic regimes from Syria and elsewhere is clear. Those are much more predictable and traditional types of quasi-military activities. In the hybrid warfare threats that we've seen them conduct, they are using proxies in Internet-type attacks, and in convergence with organized criminal groups in Russia, we have seen them launching a number of important negative effects on jurisdictions, including Canada.
China is a much more complex issue, and I understand the challenges of national jurisdictions like ours. State-owned enterprises and authoritarian capitalism seem to drive a lot of business opportunities and business decisions, but they represent complexities from time to time that I'm not sure we have fully examined as Canadians.
There's also the issue that China is now in the age of self-admitted “sharp power”, and they exercise that power with very little reservation anymore. There's no longer even a question of hiding their intentions. They are taking a very aggressive approach around resources and intellectual property, and they also are very clear in dealing with dissidents and academics. They've arrested some of them, and they punish others, including academic institutions in North America, at their will, so I think there's a value challenge that Canadians have to consider along with the economic opportunities discussion. The Cold War is over, but a new version is rapidly emerging, and I think our focus on counterterrorism is not always our best play.
Thank you both for being here. It's interesting, given the comment that was just made about incidental information, because there's incidental information, there's the publicly available information, and there's this notion that there's clearly an intent in the legislation to expand the powers for this new threat that's being described, but when we ask the chief of CSE to explain why those powers would be used, there's no example that's able to be provided.
This question is for you, Ms. Vonn. I want to understand, because there's a link here. One of the answers that was given to me when these officials were before the committee was, “Don't worry. If you look at part 3 of the bill, in proposed section 25, they have to ensure measures are in place to protect the privacy of Canadians", but that's a very vague notion, because it then goes on to say, “of Canadians and persons in Canada in the use, analysis, retention and disclosure of...” and then goes on to describe the information.
The use of the word “disclosure” is particularly troubling, because that's how the government has rebranded the information sharing that was created under former Bill . I'm wondering if there's some concern about that information. It's seemingly for research and other innocuous purposes by CSE, but it can nonetheless be shared, and I'm wondering if there's some concern about what consequences there might be, in particular if it's being shared with Five Eyes allies, when we see examples like what was reported in La Presse at the end of last week about the RCMP acquiring information on Canadians from the DEA without the proper judicial oversight that would normally be involved if they were doing it here in Canada.
With that very broad portrait I've painted, I just want to understand, because I think a lot of people don't quite understand how maintaining, even with a cosmetic change, information sharing as was brought in by the former Bill has an impact on how these new powers of CSE are going to potentially play out.
It's of critical concern to civil libertarians that the public understand that collection, incidental or otherwise, of personal information into national security agencies is not innocuous. In part because we do have these alliances, information sharing does flow in ways that are potentially problematic for those individuals, even with the notion that perhaps we're not exploiting it and perhaps we're not using it.
We're going to try to give assurances, but we don't know what's being used in terms of exploitation. We know it's everything from network mapping to profiling, which has been identified as a huge problem. It definitely resonates with Canadians as a threat to their own personal security. All those aspects of trying to figure out what the jeopardy is for this collection, use, retention, and exploitation are critical. It's critical to figure out those tentacles and ensure that we have mechanisms that are not merely paper mechanisms when we say we have measures. What are those measures? How do we know where they work? Do they cover off all the aspects?
Those are aspects behind the curtain that goes on with national security that most Canadians cannot see. We've come to have reason to distrust, because we haven't seen, for example, the simple definitions for things that would allow us to have the insight that we should have for democratic accountability.
When we see failures of definitions in Bill around things like publicly available information, to pick up my colleague's point, and a national security agency can acquire data through a data broker using the kinds of techniques that were just being described and ingest that into a system in which information may get shared with allies abroad, you can see the magnification effect of the impact on security of individuals—not national security, but personal security—in relation to all of those data practices.
People are not as alive as we would like them to be to these threats, but they're increasingly alive that these are the problems, as you illustrate.