Canada’s cyberspy agency defends proposed new powers to go on offensive

A sign for the Government of Canada's Communications Security Establishment (CSE) is seen outside their headquarters in the east end of Ottawa on July 23, 2015. A. THE CANADIAN PRESS/Sean Kilpatrick

A senior official from Canada’s cyberspy agency says proposed new powers would allow it to stop a terrorist’s mobile phone from detonating a car bomb, block the ability of extremists to communicate, or prevent a foreign power from interfering in the country’s democratic process.

A Liberal bill would help the Communications Security Establishment counter various forms of cyberaggression and violent extremism, Shelly Bruce, associate chief of the CSE, told a House of Commons committee studying the legislation.

READ MORE: Here’s what you need to know about Canada’s ‘extraordinarily permissive’ new spying laws

A December report by leading Canadian cybersecurity researchers said there is no clear rationale for expanding the CSE’s mandate to conduct offensive operations.

It said the scope of the planned authority is not clear, nor does the legislation require that the target of the CSE’s intervention pose some kind of meaningful threat to Canada’s security interests.

Story continues below advertisement

WATCH: CSEC under the microscope

Bruce stressed the proposed legislation contains safeguards that would prohibit the agency from directing active cyberoperations at Canadians. It would also forbid the CSE from causing death or bodily harm, or wilfully obstructing justice or democracy.

The Ottawa-based CSE intercepts and analyzes foreign communications for intelligence of interest to the federal government. It is a member of the Five Eyes intelligence alliance that also includes the United States, Britain, Australia and New Zealand.

READ MORE: Former spymaster singles out new oversight role as concern in national security bill

The Liberal bill provides a statutory mandate for the highly secretive agency, which traces its roots to 1946, while giving it new muscle to conduct both defensive and offensive cyberoperations.

Story continues below advertisement

The powers would help keep Canadians safe against global threats, including cyberthreats, in a rapidly evolving technological world, Bruce said during the committee meeting.

She provided some concrete examples of how the CSE might use its new offensive capabilities – with input from other federal officials as well as accountability measures in the new law to prevent abuse.

WATCH: Federal government makes cyber warfare priority


Click to play video 'Federal government makes cyber warfare priority' Federal government makes cyber warfare priority
Federal government makes cyber warfare priority – Jun 14, 2017

“Active cyberoperations are meant to achieve an objective that the government has established and that’s a team sport,” she cautioned.

Bruce said a cyberoperation could be aimed at interrupting communications of an extremist group like the Islamic State of Iraq and the Levant “in a way that would stop attack planning before things reach a crisis pitch.”

Story continues below advertisement

An effort might involve preventing the spread of ransomware – software that holds people’s valuable data hostage in return for payment, she said.

READ MORE: Most Canadians don’t really know much about Canada’s cyberspy agency

Or the CSE could try to corrupt data on systems abroad that had been stolen from Canadian servers, rendering it useless to the thieves.

Bruce tried to allay concerns about how the CSE would use publicly available information under the new legislation and what effect this might have on the privacy of Canadians.

CSE would carry out “basic research” from the sort of public resources available to anyone in Canada, Bruce said.

“CSE does not, and would not use publicly available information to investigate Canadians or persons in Canada, or build dossiers on them,” she said.

“That is not our mandate, and for us, mandate matters.”

The cyberspy agency would use publicly available materials to provide general background information for a foreign intelligence or cybersecurity report, to assess the nationality of a person or organization, or to consult technical manuals, Bruce said.

Under no circumstances would the agency use this provision to acquire information – such as hacked or stolen data – that was unlawfully obtained, she added.