Thank you very much, Mr. Chair.
I'll make a few opening comments, and then I think my colleague Shelly from the Communications Security Establishment will also have some opening comments.
I'm pleased to have the opportunity to appear with my colleagues today to discuss , the proposed National Security Act, 2017.
As you can see, I'm joined by officials from the Public Safety portfolio, including the RCMP and CSIS, the Communications Security Establishment, and the Department of Justice.
I want to begin by thanking all the members of this committee for reviewing this bill.
As you know, this bill is the focal point of mandate with regard to national security. It is also the result of an unprecedented nationwide public consultation, one in which this committee played an important role.
The consultations undertaken by Public Safety Canada and the Department of Justice involved an online questionnaire, in-person town halls across the country, social media engagement, and much more. In total, tens of thousands of views were heard, collected, documented, and analyzed.
Of course, this committee held numerous meetings of its own on the topic of national security.
The proposed legislation reflects all of this input - from citizens, parliamentarians, community leaders, national security experts, and academics.
Bill C-59 has three core themes.
Number one is to enhance accountability and transparency. This would be done through the proposed creation of an intelligence commissioner and a national security and intelligence review agency, both of which would complement the work of the newly established National Security and Intelligence Committee of Parliamentarians.
Number two is to fulfill mandate commitments with respect to the former . This includes proposed revisions to threat reduction activities under the CSIS Act, amendments to the Criminal Code, improvements to the Secure Air Travel Act, and revisions to the Security of Canada Information Sharing Act.
Number three is to ensure that our national security and intelligence agencies can keep pace with the evolving nature of security threats. This includes measures such as modernizing the CSIS Act, establishing the proposed Communications Security Establishment Act, and making other legislative updates.
In short, bill is designed to update and modernize Canada's national security framework to reflect current realities. Its overall objectice is to keep Canadians safe, while safeguaring our rights and freedoms.
To ensure that this bill achieves this objective, Minister Goodale signalled his intention for a thorough review and analysis of its contents as it proceeds through the parliamentary process.
Beginning this past summer and continuing through to the new year, officials from Public Safety Canada and from across the security and intelligence community have engaged key stakeholders. In many ways, this has been a continuation of conversations that began with the national security consultations in 2016, which I mentioned earlier.
The aim of these discussions and interactions has been not only to respond to technical questions about the content of the bill, but also, and mainly, to obtain feedback and input about how to improve the bill.
We've had meetings and exchanges with the Office of the Privacy Commissioner of Canada, the Security Intelligence Review Committee, the Office of the Communications Security Establishment Commissioner, and the Civilian Review and Complaints Commission for the RCMP.
We also had a number of exchanges with prominent academics in the field of national security in order to obtain constructive feedback to help ensure the bill achieve its objectives. I can assure you that these discussions were very helpful.
Similarly, we have taken a keen interest in the deliberations of this committee, including the testimony of witnesses and the detailed written briefs made available on the committee's website. I should note that, although separate from Bill , the government announced in June that it would be adopting a national security transparency commitment to be applied across Canada's federal national security apparatus. Public Safety Canada is exercising a leadership and coordination role for implementing that commitment and supporting the establishment and operation of an advisory group. This work will complement the ultimate objectives of Bill C-59.
It is Minister Goodale's aim to have an open and thorough conversation in order to ensure that this bill is the best it can be.
It is in this spirit that my colleagues and I appear before you today. We look forward to responding to any questions the committee may have about the bill.
Thank you very much, Mr. Chair.
Mr. Chair, distinguised members of the committee, As associate chief of the Communications Security Establishment. I want to thank you for the invitation to appear before you, as you continue your study of bill , which sets out the Communications Security Establishment Act.
I am pleased to be here today to clarify and explain certain aspects of this important piece of legislation.
Let me begin by underscoring remarks made by when this legislation was last discussed in the House of Commons. The minister said:
There can be no greater obligation than to protect the security of Canadians at home and abroad. Bill C-59 would provide CSE with the authorities and tools to maintain the highest standards in security protection while adhering to the high standards of accountability and transparency.
CSE has helped protect the security of Canadians for over 70 years by providing critical foreign intelligence about threats to our national security and our deployed forces, and by protecting Canada's most sensitive information and information systems. In order to deliver this important mandate, governments throughout those 70 years have expected CSE to respond to the priorities of the day and to ensure that it stays ahead of evolving global threats and constantly changing technology—and to meet those challenges while protecting Canadians' privacy, rights, and freedoms. That is what the proposed authorities and accountabilities in the proposed CSE act would do. They would provide CSE modernized authorities to help keep Canadians and Canada safe and secure against global threats, including cyber-threats, in a rapidly evolving technological world. They would provide new accountability measures to ensure that CSE's activities are authorized, reviewed, and are as transparent as possible.
As the committee has studied this bill a number of important questions have been raised. I would like to address a few of the more common ones now.
First, I'd like to address the provision in the proposed act around publicly available information. Questions have been raised about how CSE would use publicly available information and what impact that would have on the privacy of Canadians. To be clear, this provision exists only to allow CSE to conduct basic research in support of its mandate from the sorts of public resources that would be available to anyone in Canada. CSE does not and would not use publicly available information to investigate Canadians or persons in Canada, or build dossiers on them. That is not our mandate, and for us, mandate matters.
The proposed CSE act reinforces this by explicitly requiring that CSE have measures in place to protect the privacy of Canadians and persons in Canada in the use, retention, and disclosure of publicly available information.
How would we use that publicly available information? I can provide three quick examples. First, we could use it to provide general background information for a foreign intelligence or cyber-security report. Second, we could use it to assess the nationality of an individual or organization. Third, we could use it to consult technical manuals associated with new technologies or infrastructure.
Under no circumstances would CSE use this provision to acquire information that was unlawfully obtained. Hacked or stolen data would not constitute publicly available information under the CSE act.
This committee has also heard questions about the proposed active cyber-operations aspect of CSE's mandate, including questions on how they would be used and the potential impact on Canadian privacy. As this is a new authority for CSE, I want to clarify what this means. Active cyber operations would allow CSE, within strict legal parameters and with approvals at the highest levels of government, to take action online to disrupt foreign threats, including activities to protect our democratic institutions, to counter violent extremist and terrorist planning, or to counter cyber-aggression by foreign states. As examples, CSE could use active cyber operations to prevent a terrorist's mobile phone from detonating a car bomb; we could impede terrorists' ability to communicate by obstructing their communications infrastructure; or we could covertly disrupt a foreign threat actor from interfering in Canada's democratic processes.
The proposed legislation is also clear in the limits built into this authority. CSE would be prohibited from directing active cyber operations at Canadians, at any person in Canada, or at the global infrastructure in Canada. The act would also require that these activities be reasonable and proportionate. It would specifically prohibit CSE from causing death or bodily harm, or wilfully attempting to obstruct, pervert, or defeat the course of justice or democracy.
Let me underscore the fundamental change in our approach to ministerial authorizations.
Bill builds on CSE's current ministerial authorization regime by broadening its application and introducing new and important oversight and review functions. Under the act, CSE will seek a ministerial authorization for any activity that would interfere with the reasonable expectation of privacy of a Canadian or a person in Canada, or contravene an act of Parliament.
For CSE's foreign intelligence and cyber-security activities, these would be subject to approval by the Minister of National Defence and the intelligence commissioner. Active and defensive cyber operations are not collection activities and cannot be directed against Canadians or persons in Canada. As such, they would be approved by the Minister of National Defence and the Minister of Foreign Affairs. All of CSE's activities would also be subject to full review by dedicated independent review bodies.
Mr. Chair, I'll conclude by thanking the committee for inviting me and my colleagues here today to testify.
Thank you for your important deliberations on the Communications Security Establishment Act. We look forward to answering your questions.
Mr. Chair, thank you very much.
Thank you to our witnesses for being here. Thank you for your service and expertise.
I'd like to start with a question to Mr. Brown.
Mr. Brown, I wonder if you could briefly sketch for the committee your assessment of the strategic threat setting that the country faces in 2018, with particular attention to the two principal threats, being cyber-directed activities, and also the risk of terrorist attacks, violence, extremism, radicalization, both domestically grown and/or foreign inspired.
How do those two compare against each other, and are there any other threats that we need to take note of in 2018?
In all seriousness, virtually everything that I say my colleagues will want to refine, correct, and make more precise, but I will take a stab at it.
I think you have identified two of the key issues. There is no question that in the current threat environment, in terms of counterterrorism and the realities we are all facing, both as individuals and as part of any entity that we participate in, whether it's social or professional or as a government in terms of the cyber-threats we're confronting, the reality is that it's multi-faceted.
I would also indicate, though, that I think we continue to face traditional threats. This is clear in publicly released documents both by the department and CSIS that the threat environment is more complex than the ones just mentioned above. It includes the kind of traditional intelligence gathering by countries that are either competitors or wish us ill. I think, as well, in terms of the counterterrorism environment, we continue to face both foreign as well domestic threats.
As I say, I could use up all of your allotted time very easily, but I think that's a snapshot and I'd be happy to take some questions.
Good morning, everyone. Thank you for being here today. Your comments will be most helpful.
My first question concerns the funding of terrorist groups. The question is for Mr. Brown or anyone else who would like to answer.
Mr. Michael Nesbitt appeared before the committee. He expressed his concern that Canada runs the risk of being a home for terrorist financing and other activities. This is a possibility.
Our party, through my colleague Mr. Tony Clement, introduced bill , which is currently being studied in the House. This bill would address what are known as covert means. It appears that the government did not want to support the bill, arguing that bill and other Canadian legislation provides the tools required to prevent funding by covert means in support of terrorism.
Could you comment on that?
I will answer and my colleagues can add to my comments.
The view is that, in addition to the changes that are proposed in Bill , the framework that is already available to the government in terms of addressing issues associated with terrorist financing is sufficient. Generally speaking, in the context of Bill C-59, the government is open to suggestions. I do think that in the perspectives in the private member's bill that you've mentioned there are some practical considerations that, frankly, make it problematic.
That being said, I think we're constantly challenging ourselves to ensure that all of the agencies have the tools they need to confront the challenges around terrorist financing. There are a variety of steps we can take, and at that I'll let my colleagues jump in, if they'd like, in terms of the tools we have now that, we believe, give us the capacity to respond as necessary.
I'll just to that add, as well.
Again, we cannot direct our activities at Canadians. We direct them at foreign targets. If a foreign target talks about a Canadian, or, say, calls somebody in Canada and we pick that up, we have to destroy that information under current legislation, if it's not essential for international affairs security and defence. If we do retain it, then we have to count it. We would have to account for the fact that the information had been picked up, the fact that we had destroyed it, or if we had retained it, the reason we had retained it. That's reviewed now by the CSE commissioner.
There are policies and procedures and things baked into our system that we have available on our website in the form of a privacy fact sheet that breaks out all the different measures now in place, and our adherence to those measures is reviewed by the CSE commissioner.
Right now in the bill, the minister, in the ministerial authorization space, will lay out the privacy measures specific in that authorization on the use, retention, and disposition of that information, and we have to follow that. Again, some of those elements are listed on our website now. I can walk through them. There are policies, procedures, training, and what have you.
I think an important element to underscore is that the only way we would assist other law enforcement security agencies under their mandates is if they came to us with their own lawful authorities—under our assistance mandate—and then we would help them within the bounds of that lawful authority and that activity.
With respect to the kinds of things we're talking about here, for anything that we do in CSE, whether it's our intelligence collection, cyber-security, or dealing with publicly available information, we have to have privacy measures in place. There could be things that engage our privacy interests, so those measures have to be there.
There's a range of things, in terms of privacy measures, for the kinds of general research that we do, the kinds of intelligence-collection activities that we do in support of the Government of Canada's intelligence priorities, and the kinds of things that we do in response to requests from partners.
Thank you to the officials for being here.
I appreciate your role as bureaucrats and your hesitancy sometimes maybe to speak freely in a committee like this on a matter like this, but we know this is a national security issue and it's a chance we have while the bill is before us before second reading to make any adjustments, which we probably need, obviously.
I'm going to start with you, Ms. Bruce, and I'll ask Mr. Brown the same question as well.
You spoke about active and defensive cyber operations. The legislation here in this bill sets out some very clear limits on its authorities, and prohibits directing active cyber operations at Canadians, as I read it, regardless of where they might be in the world when that happens, or any person in Canada.
Are you confident or satisfied that these limitations and prohibitions are appropriate, given our current climate of domestic threats with Canadians on Canadian soil?
My question is for the representatives of the Communications Security Establishment.
You may be testifying before the committee for the first time, but you must know that your organization is central to the legal framework we are studying. We are talking about foreign threats. Given that you do not handle what happens on Canadian soil, if, in your surveillance and interdiction efforts, you were to hear a conversation involving a Canadian citizen, you would be required to destroy this information. Defending the rights and freedoms and protecting the lives of Canadians are always the excuses given. You would have to prove that there is a threat or a reasonable suspicion of a threat to obtain the warrants required to investigate.
How can you prove that there is a threat if, by destroying information concerning Canadians, you lose information about behaviour or behaviour patterns that could be used as proof of an emerging threat?
Obviously, my assumption is that the source is in another country but is relying on co-operation from Canadians.
We've been touching on a lot of issues surrounding the reasonable expectation of privacy. I might start there. This is a question relating to part 3 of the bill. I've read about this in a few places. I think it has been suggested by Professor Forcese and by the BCCLA that there should be amendments made to subclauses 23(3) and 23(4). The changes would add some words.
The existing subclause 23(1) reads:
Activities carried out by the Establishment in furtherance of the foreign intelligence, cyber-security and information assurance, defensive cyber operations or active cyber operations aspects of its mandate must not be directed at a Canadian or at any person in Canada.
The suggested amendments would add the words, “involve the acquisition of information in which a Canadian or person in Canada has a reasonable expectation of privacy.”
Then the text would go back to the wording that we now have in subclause 23(3), namely, “unless they are carried out under an authorization issued under subsection 27(1) or 41(1).”
Because we've been talking a fair bit about reasonable expectations of privacy and how we manage the constraints of adding that in, do you think this concern is covered by other parts or layers of the legislation, or do you see the value of making additions? I'm not asking from a policy point of view, but am trying to see if you see it covered somewhere else.
Just on the active cyber operations, the minister of National Defence is the one calling the shots, if you'll allow me to use that expression, and you exist through the National Defence Act. But the CSE—and I know the answer to this, but just for the record—is a civilian organization, correct?
Ms. Shelly Bruce: That's correct.
Mr. Matthew Dubé: When cyber operations are being undertaken, you referred in your presentation—I'm going with the notes—to “cyber aggression by foreign states”. You are not phrasing cyber aggression as an act of war per se. You also refer to disrupting “cyber aggression by foreign states”. Is there not concern that a civilian organization answering to the Minister of National Defence, in essentially undertaking offensive actions against another state, could be perceived as engaging in an act or war? What would be the legal consequences of that? We've had witnesses who've explained that, because legally you're seen as a civilian organization, that muddies the waters significantly. That's where a lot of the concern comes from. I don't necessarily feel you've addressed that in your comments.
I would preface this by saying that active cyber operations are meant to achieve an objective that the government has established, and that it's a team sport. That means we each are bringing our mandates, our authorities, and our capabilities to this table. It really is a way of working together to figure out who has the right authority to address the right issue at the right time based on their skills, their mandates, and their authorities.
In the case of CSE, I mentioned some of these operations in my opening remarks, such as interrupting or disrupting ISIL communications, networks, media machines in a way that would stop attack-planning before things reached a crisis pitch. There's also interrupting the spread of ransomware that's being pushed around the world, and interrupting subversion to the democratic process. As my colleague mentioned, we have had instances in the past where sensitive information has been stolen from Canadian systems and is now on foreign systems abroad; therefore, we could find ways to corrupt that data or to make it inaccessible to others who want to take advantage of it and use it for their own benefit.
It's not a party position, I imagine.
My question is for CSE, to start, since this was discussed in your presentation, but it's also for CSIS, because it is mentioned in part 4 as much as it is in part 3 of the bill when it comes to the definition of “publicly available information”.
The sense I've gotten from people who know about it better than I do and have been before the committee is that, up until now, there's been no definition in Canadian law and no jurisprudence about what publicly available information is.
You've defined it as the sort of public resources that would be available to anyone in Canada. One example that the Canadian Bar Association offered was that of information being sold by Facebook to advertisers—which arguably would be available to anyone if they were in that business. It's unclear to me whether we're talking about googling someone whose Facebook page doesn't have strong privacy settings, or whether we're actually talking about things that technically are available to anyone, but wouldn't actually be.
Therefore, my first question is, can you drill down that definition? My second one is why is there no definition in the bill or anywhere in Canadian law of this, and should there be a definition in the bill to make that more explicit?
I would just say that, where there is that reasonable expectation of privacy, any information that we use... If there's any element of, say, information notwithstanding the publicly available information definition and those elements, if there is anything that hits that trigger of “reasonable expectation”, that's brought within the ministerial authorization process.
We still will have the element of privacy measures applying to publicly available information in case there is a privacy interest triggered, but again, given that the Privacy Act requires that we only collect, use, and retain information consistent with our mandate, we cannot go outside of that mandate and use it in different ways.
We will be, obviously, reviewed for reasonableness, necessity, and our privacy measures, so the degree to which there might be any concerns going forward on that would be, I would think, captured by that review agency and drawn to our minister's attention.
Thank you for the question.
I will just talk a little bit about the proposed amendments. The Youth Criminal Justice Act recognizes that young persons have special guarantees of rights and freedoms, and it contains a number of significant legal safeguards to ensure they are treated fairly and their rights are fully protected. Part 8 of the bill is aimed at ensuring that all youth who are involved in the criminal justice system due to terrorism-related conduct are afforded enhanced procedural and other protections that the Youth Criminal Justice Act provides. It ensures, for example, that youth protections apply in relation to recognizance orders and clarifies that youth justice courts have exclusive jurisdiction to impose these orders on youth.
For example, if a young person were to come before a youth justice court on an application for a terrorism peace bond and is not represented by a lawyer, the amendments here would require the court to advise the young person of his or her right to retain and instruct counsel, refer the young person to any available legal aid program, and if the young person is unable to obtain counsel through the program, direct that young person to be represented by counsel provided by the state upon request of the young person.
There is more discussion internationally about the effects of terrorism on the juvenile justice system, and these proposals for amendments to the Youth Criminal Justice Act are to enhance protections of youth in proceedings where recognizance with conditions in terrorism peace bonds apply, but it also provides for access to youth records for the purposes of administering the Canadian passport order, subject to the privacy protections of the act.
I think that question was raised during the first hour. Of course, it will have a positive impact because
Agencies will, I think, have greater clarity over what their expectations are.
This was an issue that we discussed, frankly, in the early days of the deliberations around the legislation. There was a recognition that there were gaps in the accountability regime, and we wanted to ensure that those gaps were filled in a way that didn't have a direct and negative impact on the operational capabilities of the agencies. Part of that is through greater clarity and expectation.
The other expectation is quite clear, and it's in the NSICOP legislation, for example. We expect NSICOP and NSIRA to consult and work with each other to ensure that they don't overlap unnecessarily and that they coordinate their activities.
There's no question that this will result—I would think this is one of the objectives—in greater transparency and greater public understanding of what we all do on a daily basis.
We're also taking steps to simplify the process through the transparency initiative, where the objective is that information that shouldn't be withheld can be shared publicly. This should eliminate going through access to information or whatever kinds of processes are required to release information. If we can release it proactively, we're lightening the burden.
I fully recognize that there has been some commentary about an increased burden, but as Tricia has mentioned, each of the deputy heads have indicated that they welcome and can function effectively within the proposed framework for oversight and review.
I know that Doug is here more in the policy capacity than a charter expert capacity, so I'm happy to address that.
There are a couple of things to keep in mind. One, again, is that it will be reviewed for lawfulness. With the ministerial authorizations that we will have or will seek that capture any information that comes into our possession, where there would be reasonable expectation of privacy, when we put together those authorizations, the Department of Justice is part of reviewing those authorizations, which are like affidavits, to make sure that we've sufficiently captured that space.
As the publicly available information is laid out here, the idea is that it was public, it was intended to be public, so to that degree, any information we acquire under those provisions would have to meet those kinds of tests, and those tests will be reviewed and commented on going forward.
Mr. Dubé is well past his time.
I do have a question, if you don't mind. I want to pick up on the exchange between Ms. Bruce and Mr. Fragiskatos concerning the private infrastructure, if you will.
This conversation has largely been devoted to public infrastructure. It reminded me of a conversation I had last week with a representative of the banking industry. His comment was that when we feed information into the security services, it just disappears and we never hear from them again. It seems to me that this cyber infrastructure is actually shared between the private and public sectors, and that Bill doesn't speak to—it's not obvious, at least—that private infrastructure piece. This issue has consumed the British. The British government has intervened quite actively in protecting private infrastructure.
First, on Bill as is, what contribution in terms of a framework does it make? Second, what is the next piece, if you will, in addressing that issue?
The bill does not refer specifically to critical infrastructure, but I think it makes reference to non-governmental systems, which are tantamount to critical infrastructure, because as you say, our global information infrastructure is made up of public and private enterprises.
In that space, CSE, which is currently focused on defending and blocking activities on the government infrastructure, is limited right now to providing advice and guidance only to critical infrastructure owners in a way such that the information is available to the general public.
In this regard, Bill opens up CSE to take the expertise that has been developed—the tools, the capabilities.... In fact, some of that capability has been exposed to critical infrastructure owners in the form of a tool called “Assembly Line”. We've put it out there. It's a tool that was developed in-house, but we've made it available to others who can use it to help triage and understand malware that might be affecting their systems.
CSE would be able to go even further with this legislation to helping critical infrastructure owners who request our assistance and whom the minister has designated as eligible to receive assistance from CSE.
Some of this falls under the ambit of the . You're asking a framework question on the way in which the government is going to approach it. This is an important building block. It was a gap within CSE's mandates that they were constrained on the help they could provide in the existing context.
As I said before, the government is conducting a cyber-security review. The results of that will be available shortly, I hope. One of the key pieces in this—and here I would add that Public Safety manages the relationship with critical infrastructure sectors—is about knowing where to go, who to call when there's an issue. It's not about the size of the systems; it's about having the right connections. Right now, they sometimes call CSE, and they call our critical cyber-emergency response team, CCIRC, at Public Safety. We need to do a better job of coordinating that.
Much of this information is in an ecosystem where it needs to get shared really quickly, and that's a key role that CSE can play. It's about technical expertise. I will use the analogy of a fire. We send firefighters to a fire. In this instance, it might be one firefighter, because it's actually just a connection that needs to be made so that people understand that there's a fix, and this fix can be applied across the entire infrastructure.
There's an unnamed large American company that dealt with a lot of people's private data. It was one simple fix that was missed, and it had a profound impact on the entire organization.
It's important to frame this. I think we will see a further elaboration in the coming months. This is one important building block.