Canada’s electronic spy agency acknowledged Monday it has conducted cyber operations against foreign hackers to “impose a cost” for the growing levels of cybercrime.
It is the first time the Communications Security Establishment (CSE) has publicly acknowledged the use of “foreign cyber operations” — a category of operations that can include both “active” (offensive) or defensive cyber tools.
The agency said its new mandate “gives CSE the legal authority to conduct cyber operations to disrupt foreign-based threats to Canada, including cybercriminals.”
“Although we cannot comment on our use of foreign cyber operations (active and defensive cyber operations) or provide operational statistics, we can confirm we have the tools we need to impose a cost on the people behind these kinds of incidents,” wrote CSE spokesperson Evan Koronewski in a statement to Global News.
“We can also confirm we are using these tools for such purposes, and working together with Canadian law enforcement where appropriate against cybercrime.”
CSE’s acknowledgment of cyber operations against non-state actors is being called a “watershed” moment for the agency, which operated largely in the shadows until thrust into headlines by Edward Snowden’s disclosures in 2013.
The agency was given explicit authority to conduct “active” operations by the Liberal government in 2019 — albeit under considerable restrictions. The example the agency likes to use is taking action to disrupt a terrorist group’s communications networks to prevent them from planning an attack. Another example would be shutting down networks of a criminal or state-backed group that is actively hacking the Canadian government.
Because hacking a criminal group, intelligence agency or terrorist organization based in a foreign country could violate that country’s laws, CSE’s active measures require the sign-off of both the minister of defence and the foreign affairs minister. The actions must not target Canadians or anyone in Canada.
“(This) marks a time where, rather than relying on a criminal justice agency to address criminal behaviours, the Canadian government is instead using its most secretive and best-resourced intelligence agency to impede the activities of criminals,” Christopher Parsons, a cybersecurity researcher with Citizen Lab, told Global News.
“While it is positive that the CSE is admitting it has used these powers — and, in doing so, has joined the ranks of its other Five Eyes intelligence partners — there is still much to learn. … (Does this) signify the Government of Canada will be increasingly reliant on cyber operations to disrupt criminals, without trial or conviction, instead of trying to bring them to justice?”
The cyber intelligence agency, along with the RCMP, warned Monday that ransomware attacks against critical Canadian sectors — such as health care, energy and manufacturing — are on the rise.
The Liberal government released an open letter to Canadians urging organizations to beef up their cybersecurity, noting that the cost of ransomware attacks —where hackers lock down networks and data, and demand a ransom to unlock them — are increasing dramatically over the course of the COVID-19 pandemic.
“Together with law enforcement, and other federal and international partners, we are working hard to make threat information more publicly available and provide you with specific advice and guidance to help you stay safe from the impacts of ransomware,” the letter, signed by four Liberal cabinet ministers, read.
“Canada is also working closely with our allies to pursue cyber threat actors and disrupt their capabilities.”
There are signs — including CSE’s public acknowledgment Monday — that those “disruption” efforts are increasing.
On Monday, the New York Times reported that Gen. Paul Nakasone, the head of U.S. Cyber Command, acknowledged the military had turned its sophisticated cyber arsenal against criminal hackers.
“The first thing we have to do is to understand the adversary and their insights better than we’ve ever understood them before,” Nakasone told the Times, indicating ransomware groups were among those targeted.
“Before, during and since, with a number of elements of our government, we have taken actions and we have imposed costs. … That’s an important piece that we should always be mindful of.”
That language of “imposing costs” — which CSE also deployed — is significant, said Carleton University professor and security researcher Stephanie Carvin. Carvin said it implies the actions CSE is taking is not just to stop hacks against Canadian organizations, but as a deterrent.
“It’s a big day in Canadian cybersecurity history,” Carvin, a former intelligence analyst, said in an interview.
“Cybercrime is the primary cyber threat to Canada. … I wonder if the confirmation itself is just kind of the CSE acknowledging the scope of the problem is so severe that they have to become involved as well.”