2009—2010 Review Highlights

The Commissioner provides classified reports containing findings and recommendations to the Minister of National Defence, with copies going to the Chief of CSEC, to the National Security Advisor to the Prime Minister, who is accountable for CSEC operations and policy, and to the Deputy Minister of National Defence, who is accountable for administrative matters pertaining to CSEC. Prior to finalizing a report, the Commissioner's office seeks CSEC's comments respecting the report's factual accuracy.

Study of CSEC information technology security activities not conducted under ministerial authorization

Background

This study was initiated and conducted under the authority of former Commissioner Gonthier, as articulated in paragraph 273.63(2)(a) of the NDA. It examined CSEC information technology (IT) security activities not conducted under ministerial authorization. A previous review of IT security activities was conducted in 2000. However, because of significant changes and developments in this area since that time, a comprehensive study was undertaken of all IT security activities not conducted under ministerial authorization. Other IT security activities that CSEC conducts under ministerial authorizations are reviewed annually.

CSEC's principal authority for IT security is derived from paragraph 273.64 (1)(b) of the NDA: "to provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada". CSEC's IT security activities focus on preventing and responding to sophisticated IT threats and cyber attacks that attempt to covertly access sensitive government computer systems. Among its IT security activities, CSEC promotes sound security practices to help government departments reduce IT vulnerabilities and manage IT security risks. This may involve the provision of monitoring and countermeasures to prevent, detect and respond to IT threats and cyber attacks.

The objectives of the study were to acquire knowledge of CSEC IT security activities and to conduct a risk assessment to determine which of these activities, if any, may raise issues about compliance with the law, ministerial requirements, CSEC policy and procedures, or the protection of the privacy of Canadians - and should therefore be subject to follow-up review. Particular attention was paid to activities that may involve private communications or information about Canadians.

Some of the areas included in the scope of this study were: the government's cryptographic program; relationships with industry; research, analysis and reporting respecting cyber vulnerabilities and sophisticated IT threats and attacks; assistance in identifying and responding to vulnerabilities and incidents affecting information infrastructures of importance to the government; and associated relationships with key Canadian government and international partners.

Findings and conclusions

The study found that CSEC IT security activities not conducted under ministerial authorization generally present a low risk of possible non-compliance with Part V.1 of the NDA and a low risk to the privacy of Canadians. One quarter of the areas included in the study were identified for follow-up review and have been incorporated into the Commissioner's three-year work plan.

In only a few cases, CSEC's IT security activities not conducted under ministerial authorization involve access to a small amount of information about Canadians. Most of this information relates to the identity of a Canadian company, or consists of information voluntarily provided by CSEC's government clients as part of cyber protection activities or ongoing Crown business.

There are, however, other IT security activities not conducted under ministerial authorization that may present risks to the privacy of Canadians. These activities are conducted under the Criminal Code and the Financial Administration Act authorities of other government entities and may involve CSEC access to private communications and information about Canadians. In respect of these activities, the study found that CSEC takes measures to protect the privacy of Canadians. For example, private communications and information about Canadians are disclosed only to those officials involved in protecting computer systems. Nevertheless, the potential risks to privacy presented by these activities cannot be discounted. Therefore, the Commissioner's office will conduct in-depth reviews of these activities to verify CSEC's compliance, and to assess the extent to which it protects the privacy of Canadians in carrying out these activities.

Intrusion detection system monitoring

Paragraph 184(2)(e) of the Criminal Code permits the interception of a private communication by a person in control of a computer system in order to protect the computer system from any act that would be an offence under subsections 342.1(1) ("unauthorized use of computer") or 430(1.1) ("mischief in relation to data") of the Criminal Code. This provision permits the use of an intrusion detection system to protect against a cyber attack and allows for the use or retention of a private communication where it is essential to identify, isolate or prevent harm to the computer system.

Section 161 of the Financial Administration Act provides authority for a government entity to take reasonable measures to protect a computer system, including the interception of a private communication in circumstances specified in paragraph 184(2)(e) of the Criminal Code.

The study also included the examination of a principal CSEC IT security software tool and information repository. Former Commissioner Gonthier concluded that the CSEC IT security software tool has adequate functionality to restrict access to information held in the system, to meet security and confidentiality requirements, and to protect the privacy of Canadians. To confirm this, the Commissioner's office examined CSEC's use of the system in the context of a review of certain IT security activities conducted under ministerial authorization. The results of this review will be included in the 2010—2011 annual report. 

Review of CSEC foreign intelligence collection activities conducted under ministerial authorizations and in support of government efforts relating to Afghanistan

Background

This review was initiated and conducted under the authority of former Commissioner Gonthier, as articulated in subsection 273.65(8) of the NDA. The report was reviewed and submitted to the Minister of National Defence by former Commissioner Cory. The review examined activities conducted under two ministerial authorizations in effect in 2006—2007 and 2007—2008 and in support of Canadian Forces military operations and other government efforts relating to Afghanistan. CSEC obtained the ministerial authorizations pursuant to subsections 273.65(1) and (2) of the NDA because, in carrying out the activities, it was possible that CSEC might intercept a communication that either originated or terminated in Canada, constituting a private communication, as defined in the Criminal Code.

Pending amendments to clarify the NDA, this review was based on the legal interpretation of the foreign intelligence ministerial authorization provisions in the NDA provided to CSEC by Justice Canada.

As this was the first review of these activities, the objectives were to acquire detailed knowledge of these activities, to assess whether these activities were authorized and complied with the law, and to assess the extent to which CSEC protected the privacy of Canadians in carrying out these activities.

Findings

It is clear that CSEC's activities under ministerial authorization and relating to Afghanistan provide important access to valuable foreign intelligence that supports both military and broader government intelligence priorities.

The activities were found to have involved access to a minimal number of private communications and information about Canadians. They were therefore assessed as presenting a low risk to the privacy of Canadians.

Based on information reviewed and interviews conducted, CSEC activities from 2006—2008 under ministerial authorization and relating to Afghanistan were found to have been appropriately authorized and conducted in accordance with the law and Justice Canada advice. These activities were also found to have been conducted in accordance with requirements in the ministerial authorizations and with ministerial direction. CSEC recorded and reported information to the Minister in accordance with the requirements of the authorizations.

Recommendations

No information or documentation was found to indicate that CSEC employees contravened operational policies and procedures applicable to these foreign intelligence collection activities. However, former Commissioner Gonthier recommended that CSEC amend its policy for these activities to clarify certain obligations. It is a positive development that CSEC acted on this recommendation and, as a result, has strengthened its ability to meet legal and ministerial requirements. The Commissioner's office will also monitor CSEC efforts to address gaps related to CSEC's dealings with the Canadian Forces, as identified by CSEC internal evaluators.

In addition, this review noted two CSEC enhancements related to foreign intelligence collection reporting that should be recognized. First, CSEC took action to centrally manage a certain type of reporting to enhance accountability for such reporting. Second, CSEC addressed a recommendation by former Commissioner Gonthier that additional information respecting foreign intelligence collection activities be recorded and reported to the Minister of National Defence to strengthen accountability.

Regular review of CSEC disclosure of information about Canadians to Government of Canada clients

Background

This review was initiated and conducted under the authority of former Commissioner Gonthier, as articulated in paragraph 273.63(2)(a) of the NDA. The report was reviewed and submitted to the Minister of National Defence by former Commissioner Cory.

When receiving a request for disclosure of the details of suppressed information about a Canadian in a report, CSEC requires its clients to explain their authority to obtain and use this information, and to provide an operational justification of their need for such information. Only after these conditions have been met will CSEC release the suppressed information.

The Commissioner's 2008—2009 annual report contained a summary of a comprehensive review of disclosure of information about Canadians to Government of Canada clients. The review found that CSEC activities complied with law, and with CSEC policies and procedures. Subsequently, CSEC suggested that reviews of this activity could be conducted at regular intervals. Recognizing that this CSEC activity is important to privacy protection, former Commissioner Gonthier agreed with CSEC's suggestion and monthly reviews of all CSEC disclosures to Government of Canada clients were conducted from January to June 2009.

Findings

The monthly reviews found that CSEC's disclosure of information about Canadians in foreign intelligence reports to Government of Canada clients complied with the law and with CSEC operational policies and procedures. Given these positive results, it was determined that monthly reviews were not necessary and not the most effective use of resources for either party. However, given the privacy implications of this activity, commencing in 2010—2011, the Commissioner will conduct an annual review of a random sample of disclosures to verify that CSEC continues to comply with the law and maintains measures that protect the privacy of Canadians.

Recommendations

Notwithstanding the positive findings, former Commissioner Gonthier made two recommendations respecting reporting to the Minister of National Defence on the volume of information about Canadians released to CSEC's clients. The recommendations relate to providing tools to support the tracking of such information and to improving the consistency and accuracy of the reporting. CSEC has accepted and is implementing the recommendations.

Date modified: