Part III: Key Cyber Defence Players, Authorities and Activities
National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack

The Communications Security Establishment

154. The Communications Security Establishment (CSE) is at the centre of the government's framework for cyber defence. It collects intelligence on threats to government systems and networks, operates a sophisticated, layered defensive network of sensors that identifies and blocks those threats, and provides direction and advice to government organizations (and increasingly, to Canadians and private sector organizations) to strengthen their own information technology security. This section discusses CSE's authority to conduct these activities and the governance mechanisms used to control those activities and to ensure CSE's accountability to the Minister of National Defence. It then describes the cyber defence activities themselves and the results they have achieved to date. The Committee uses case studies of actual cyber incidents to illustrate key issues.

CSE cyber-related mandates and authorities

155. On December 18, 2001, Parliament passed the Anti-terrorism Act. Footnote 263 That Act amended the National Defence Act to add Part V.1, Communications Security Establishment. For the first time, CSE's authority to conduct its activities was founded not in the Crown prerogative but in statute. The Act provided CSE with a threefold mandate:

  1. the acquisition and use of foreign intelligence in accordance with government intelligence priorities;
  2. the provision of advice, guidance and services to help protect electronic information and infrastructures of importance to the government; and
  3. the provision of technical and operational assistance to federal law enforcement and security agencies.

156. The Act contained significant control and accountability measures. Activities conducted under parts (a) and (b) of the mandate could not be directed at Canadians nor at any person in Canada, and CSE was obligated to implement measures to protect the privacy of Canadians in the use and retention of intercepted information. It also created a ministerial authorization regime to allow CSE to intercept private communications for the purposes of foreign intelligence collection and for protecting the computer systems of the Government of Canada. Footnote 264 This was a critical change: prior to these authorities, CSE's ability to fulfill its foreign intelligence collection and information protection mandates was in steady decline due to the emergence of an increasingly digital global information infrastructure. To conduct certain activities to protect government systems and networks, CSE obtained ministerial authorizations once certain conditions were met. Footnote 265 CSE's three-fold statutory mandate and these authorizations allowed CSE to develop and conduct novel cyber defence activities on government computer systems or networks, notably active network security testing activities to measure the security status of specific government systems and networks and cyber defence activities to protect specific government systems and networks. Footnote 266

157. On June 21, 2019, the Communications Security Establishment Act (CSE Act) received Royal Assent. The CSE Act significantly changed CSE's mandate, authorities, immunities and oversight. The Act provided the organization with an overarching mandate as “the national signals intelligence agency for foreign intelligence and the technical authority for cybersecurity and information assurance.” Footnote 267 The Act provided five aspects to the CSE mandate: foreign intelligence; cyber security and information assurance; defensive cyber operations; active cyber operations; and technical and operational assistance. Footnote 268 The aspects of CSE's mandate of most relevance to this review are cyber security and information assurance and defensive cyber operations.

Cyber security and information assurance

158. The CSE Act sets the CSE mandate in the area of cyber security and information assurance. That mandate is to provide advice, guidance and services to help protect federal institutions' electronic information and information infrastructures, and those of non-federal institutions designated as being of importance to the Government of Canada. Footnote 269 The Act also enables the cyber security and information assurance mandate by permitting CSE to acquire, use and analyze information from the global information infrastructure (e.g., Internet and mobile communications systems), namely through ministerial authorizations, or from other sources (e.g., publicly available information) to provide its advice, guidance and services. Footnote 270 In practice, this means that information acquired as part of CSE’s foreign intelligence aspect can be used to support CSE’s cyber security and information assurance aspect, including its acquisition and use of information from government networks and computers.

159. A key component of this aspect are ministerial authorizations. Authorizations allow CSE, despite any other Act of Parliament, to access the information infrastructure of a federal institution or a non-federal institution designated as a system of importance to the government and to acquire any information originating from, directed to, stored on or being transmitted on or through that infrastructure, for the purpose of helping to protect it (in this context, from disruption, unauthorized use or mischief). Footnote 271 For non-federal institutions, CSE is permitted to access their systems for these purposes only if the institutions have first been designated under ministerial order as of importance to the Government of Canada, and when the owner or operator of that non-federal institution has requested CSE's assistance in writing.

Defensive cyber operations

160. Defensive cyber operations are distinct from activities conducted as part of the cyber security and information assurance mandate and inherently carry more risk because of their invasive and potentially disruptive nature. The CSE Act sets the defensive cyber operations aspect of the CSE mandate to carry out activities on or through the global information infrastructure to help protect federal institutions' electronic information and information infrastructures and electronic information and information infrastructures designated as being of importance to the Government of Canada. Footnote 272

161. This means that CSE can conduct defensive cyber operations to defend a government network or the network of an entity designated by the Minister from cyber attack. Such operations can include:

  • gaining access to a portion of the global information infrastructure;
  • installing, maintaining, copying, distributing, searching, modifying, disrupting, deleting or intercepting anything on or through the global information infrastructure;
  • doing anything that is reasonably necessary to maintain the covert nature of the activity; and
  • carrying out any other activity that is reasonable in the circumstances and reasonably necessary in aid of those activities authorized by the authorization. Footnote 273

162. Defensive cyber operations are conducted under ministerial authorization. These authorizations allow CSE, despite any other Act of Parliament or of any other foreign state, to carry out cyber operations on or through the global information infrastructure, and to conduct any activity specified in the authorization in the furtherance of the defensive cyber operations aspect of the CSE mandate. Footnote 274

Authorized activities, constraints, limitations and conditions

163. The CSE Act sets a number of constraints, limitations and conditions on the conduct of activities under the cyber security and information assurance and the defensive cyber operations aspects of CSE’s mandate. First, the CSE Act prohibits the organization from directing its activities at any Canadian, no matter their location, or at any person in Canada, and stipulates that CSE activities must not infringe on these individuals' rights under the Canadian Charter of Rights and Freedoms. Footnote 275

164. Second, for both the cyber security and information assurance activities and the defensive cyber operations, the CSE Act permits CSE to:

  • acquire, use, analyze, retain or disclose publicly available information;
  • acquire, use, analyze, retain or disclose infrastructure information for the purpose of research and development, for the purpose of testing systems or conducting cyber security and information assurance activities on the infrastructure from which the information was acquired - this allows for the collection of descriptive information on a network (e.g., pertaining to its configuration) to support the conduct of cyber security and information assurance activities; and
  • test or evaluate products, software and systems, including testing or evaluating them for vulnerabilities. Footnote 276

165. Third, where CSE is permitted to perform cyber security or information assurance activities on a network, it may identify or isolate malicious software, prevent that malicious software from harming the network, or otherwise mitigate any harm such malicious software may cause to the network. CSE may also analyze information to be able to provide advice on the integrity of supply chains and on the trustworthiness of telecommunications, equipment and services. Footnote 277

166. Fourth, ministerial authorizations play an important role in authorizing CSE to conduct higher-risk activities in these areas. For example:

  • ministerial authorization is required for any cyber security and information assurance activity that risks contravening an Act of Parliament, involves the acquisition of information from the information infrastructures of federal institutions or non-federal institutions designated as of importance to the government, that interferes with the reasonable expectation of privacy of a Canadian or a person in Canada, or that risks infringing on the Canadian Charter of Rights and Freedoms; Footnote 278 and
  • all activities conducted as part of a defensive cyber operation must be carried out under a valid ministerial authorization, and such authorizations may only be issued if the Minister has consulted the Minister of Foreign Affairs. In addition, the CSE Act prohibits defensive cyber operations from being directed at any portion of the global information infrastructure that is in Canada. Footnote 279

While defensive cyber operations must always be conducted under ministerial authorization, other activities (e.g., the provision of advice or guidance to a government department) do not require authorization as they do not present the same risks to Charter rights or of contravening an Act of Parliament. The role ministerial authorizations play is discussed in greater detail in the next section on governance.

Governance of CSE cyber defence activities

167. The CSE Act is the foundation for CSE's authorities, accountabilities and governance. The Act provides four broad categories of governance instruments for CSE activities. The most relevant to cyber defence are ministerial authorizations, ministerial directives, ministerial orders, and CSE's internal operational policies and guidance. Each of these instruments is described below.

Ministerial authorizations

168. Ministerial authorizations have been a part of the governance architecture for CSE activities since 2001. Under the CSE Act, the Minister of National Defence may issue three authorizations of relevance to cyber defence:

  • Cyber security authorizations - federal infrastructures: These permit CSE to access the network of a federal institution and to acquire and use any information on that network to protect it from mischief, unauthorized use or disruption. The Minister has issued two authorizations under the Act for the years 2019-2020 and 2020-2021. Footnote 280
  • Cyber security authorizations - non-federal infrastructures: These permit CSE to access the network of a non-governmental entity designated by the Minister as of importance to the government and to acquire and use any information on that network to protect it from mischief, unauthorized use or disruption. The Minister has issued one such authorization since the passage of the CSE Act. Footnote 281
  • Defensive cyber operations authorizations: These permit CSE to carry out any activity specified in the authorization on or through the global information infrastructure to help protect federal institutions' electronic information and information infrastructures, and electronic information and information infrastructures designated as of importance to the government. The Minister has issued two authorizations in this area for the years 2019-2020 and 2020-2021. In the case of the first authorization, no defensive cyber operations were conducted during its period of validity (this issue is described further below). Footnote 282

169. The Minister may issue an authorization only for activities that the Minister believes are reasonable and proportionate and where satisfactory measures are in place to protect the privacy of Canadians. Consistent with new obligations in the CSE Act, the Chief of CSE must submit a written application to the Minister, which includes facts and descriptions that allow the Minister to conclude that there are reasonable grounds to believe that the requested authorization is necessary and that the conditions for issuing it are met. Footnote 283

170. All ministerial authorizations, including those for cyber security and for defensive cyber operations, must include specific elements of information, notably:

  • the activities or class of activities that CSE is being authorized to carry out and which of those activities would otherwise be contrary to any other Act of Parliament;
  • the persons or class of persons who are authorized to carry out the activities identified in the authorization;
  • the activities authorized must be reasonable and proportionate, having regard for the objective to be achieved, and the nature of the activity to be performed;
  • any terms, conditions or restrictions that the Minister considers advisable in the public interest, or advisable to ensure the reasonableness and proportionality of any activity included in the authorization; and
  • anything else reasonable in the circumstances and reasonably necessary in aid of any other activity, or class of activity authorized by the authorization. Footnote 284

171. Five additional conditions must be met for the Minister to approve an authorization for cyber security (both for federal systems and systems designated as of importance):

  • any information acquired will be retained for no longer than is reasonably necessary;
  • for federal systems, the consent of all persons whose information may be acquired could not reasonably be obtained and, for non-federal systems, the owner or operator of the system must request the assistance in writing;
  • any information acquired is necessary to identify, isolate, prevent or mitigate harm to the electronic information or infrastructure in question;
  • the measures CSE has in place to protect privacy will ensure that information acquired on Canadians or a person in Canada will be used, analyzed or retained only if it is essential to identify, isolate, prevent or mitigate harm to the electronic information or infrastructure in question; and
  • any additional terms or conditions the Minister deems necessary to further protect the privacy of Canadians and of persons in Canada.

All ministerial authorizations for cyber security are reviewed by the Intelligence Commissioner to ensure that the conclusions leading to their granting are reasonable. Ministerial authorizations are not legally valid until the Intelligence Commissioner has approved them in writing. Footnote 285

172. Two additional conditions must be met for the Minister to approve an authorization for defensive cyber operations:

  • the objective of the authorization could not reasonably be achieved through other means;
  • information will be acquired only in accordance with an existing authorization under the CSE Act for foreign intelligence, cyber security or an emergency authorization as stipulated in the Act.

moreover, CSE must not “cause, intentionally or by criminal negligence, death or bodily harm to an individual” and CSE must not “willfully attempt in any manner to obstruct, pervert or defeat the course of justice or democracy.” Footnote 286 Because defensive cyber operations may implicate Canada's relations with other countries, the Minister of National Defence may issue such an authorization only after consulting the Minister of Foreign Affairs. Footnote 287 The Intelligence Commissioner does not review authorizations for defensive cyber operations.

173. Ministerial authorizations are valid for up to one year and may be amended, subject to certain conditions. Footnote 288 The Minister may also provide an emergency authorization for up to five days for activities conducted as part of the cyber security and information assurance aspect of the CSE mandate, and must notify the Intelligence Commissioner of that authorization. Thereafter, CSE must apply to the Minister for an authorization consistent with normal procedures, including that the Intelligence Commissioner review and approve the application, if that authorization continues to be required. Footnote 289

Ministerial directives

174. CSE activities must be consistent with the Minister's direction, including in areas of cyber security and information assurance and defensive cyber operations. Prior to the CSE Act in 2019, CSE had received ministerial directives in the following areas:

  • Government of Canada Intelligence Priorities;
  • Accountability to the Minister;
  • The Privacy of Canadians;
  • The Collection and Use of Metadata;
  • The Management of Third-Party Relationships; and,
  • Avoiding Complicity in Mistreatment by Foreign Entities.

With the exception of the Ministerial Directive on the Government of Canada Intelligence Priorities, all of the ministerial directives issued under the National Defence Act ceased to be in effect when the National Defence Act provisions on CSE were repealed on August 1, 2019 and the CSE Act came into force. CSE's only active ministerial directive (on the Government of Canada Intelligence Priorities) was issued in 2019. That directive is based on the intelligence priorities approved by Cabinet and directs CSE's efforts to collect and share intelligence, and to collaborate with other parties. It requires CSE to report annually to the Minister on its efforts to support the priorities. Cyber and Cyber-Enabled Operations is one of four priorities in the directive. Footnote 290

Ministerial orders

175. The Minister of National Defence may issue two types of ministerial orders to CSE in relation to cyber defence activities:

  • orders to designate the devices, networks and information of non-federal institutions as of importance to the Government of Canada; and
  • orders to designate entities with whom CSE is permitted to share information related to Canadians or persons in Canada or Canadian businesses when necessary to help protect the information or systems of federal institutions or critical infrastructures. Footnote 291

Designating non-federal institutions as of importance to the government

176. The CSE Act stipulates that the Minister may issue a ministerial order to designate any electronic information or any information infrastructures as of importance to the Government of Canada. This means that where electronic information or information infrastructures exist outside of federal institutions (e.g., a research network or an aspect of critical infrastructure), the Minister may designate those entities as systems of importance to the Government of Canada, thereby permitting CSE to provide them services. Where those services risk contravening an Act of Parliament (e.g., the Criminal Code), or infringing the Canadian Charter of Rights and Freedoms, CSE must obtain a ministerial authorization to conduct cyber defence activities to defend these designated systems. Footnote 292

177. The Minister of National Defence has issued two orders to designate classes of electronic information and information infrastructures as of importance to the government: the first in July 2019, then repealed and updated by a second order in August 2020. The order does not expire and includes:

  • Canada's 10 critical infrastructure sectors: government (federal, provincial, territorial, municipal and Indigenous), energy and utilities, information and communications technology, finance, food, health, water, transportation, safety, and manufacturing;
  • information related to the well-being of Canadians and the infrastructure lawfully containing it;
  • entities that support the protection of electronic information and information infrastructures of importance to the government;
  • multilateral organizations located in Canada in which the government is a member;
  • registered Canadian federal, provincial, and territorial political parties and their electronic information and information infrastructures; and
  • post-secondary educational institutions. Footnote 293

178. The order does not obligate CSE to provide its advice, guidance or services to any entity in those designated areas. Rather, CSE must obtain a request from an entity for assistance and then consider a number of factors to determine if the entity falls within the classes designated by the Minister. Footnote 294 Should CSE determine that a non-federal institution is an entity within the classes designated by the Minister, it may then provide its advice, guidance and services to help protect that entity from cyber attack. Should CSE determine that the deployment of its cyber defence sensors or the conduct of a defensive cyber operation would be required to protect the entity (or sector), it must seek a ministerial authorization. Footnote 295 As of May 2021, CSE deployed cyber defence sensors under ministerial authorization to one non-federal institution identified as falling under the first ministerial order to defend the entity from an attack by *** a state actor (see case study 2).

Case study 2: Use of a new authority

[*** Three paragraphs were revised to remove injurious or privileged information. ***] In 2019, CSE detected efforts by a state to compromise the network of a Canadian company. Footnote 296 The state was well-known for its sophisticated attacks against western targets. CSE identified the company as an organization that provided services to a number of critical infrastructure clients and formally identified the company as a system of importance to the government, consistent with the Minister's ministerial order.

CSE blocked related state cyber activity on all government networks and determined that government departments were unaffected. CSE informed the company of the compromise and, in response to its request for assistance, worked with the company to stop the attack.

This case study represents the first use of a novel authority provided to CSE only months earlier. While the Committee is reluctant to draw significant conclusions, it notes two issues. First, this incident shows that authorities must be flexible enough to respond to new challenges. As CSE officials noted, this type of deployment was not what was envisioned when the statute was drafted; rather, the authority was meant to enable longer-term, more proactive collaboration with non-federal organizations, particularly telecommunications companies. Nonetheless, the authority allowed CSE to respond to a sophisticated attack on a company that provided valuable services to critical infrastructure, including the government itself.

Second, it underlines the importance of speed. It took time from when CSE detected anomalous cyber activities to when it helped the company take protective measures and obtained ministerial approval to assist. This is not a criticism: the fact that CSE identified the attack at all is a testament to how closely it monitors threats to Canada. But such attacks must be addressed “at the speed of cyber.” An advanced threat actor can compromise a system, steal data or undermine system functionality in a worryingly short period. The government must continue to consider practical means for CSE to respond to rapidly emerging cyber threats while ensuring adequate ministerial control and accountability.

Designating recipients of identifiable information about Canadians or Canadian businesses

179. The CSE Act stipulates that the Minister may issue an order to designate persons and classes of persons to whom CSE may disclose information that could be used to identify a Canadian or a person in Canada. In the context of the cyber defence activities, it may do so if the disclosure is necessary to help protect the electronic information and information infrastructures of federal institutions, or non-federal institutions designated by the Minister as of importance to the government. In practice, this means that CSE may disclose information if it was acquired, used or analyzed as part of activities carried out under the cyber security and information assurance aspect of the CSE mandate, including private communications intercepted as part of such activities. Footnote 297

180. The Minister of National Defence has issued two orders to designate classes of persons to receive information disclosed by CSE that relates to a Canadian or a person in Canada: the first in July 2019, then repealed and updated by a second order in August 2020. That order does not expire and designates several persons and classes of persons to whom disclosure is permissible if the disclosure of that information is necessary to help protect the electronic information and information infrastructures of federal institutions, or those of systems designated as of importance to the government. Entities covered by the order include:

  • owners or administrators of a computer system or network used by the government or by any non-federal institution entity that has been designated to be of importance to the government;
  • persons or classes of persons who operate under the authorities of federal institutions having a cyber defence coordination or mitigation mandate, where such persons have an operational requirement for the receipt of such information (e.g., SSC, the Canadian Security Intelligence Service, the Royal Canadian mounted Police);
  • authorized persons or classes of persons within foreign entities with which CSE has established arrangements, including the Five Eyes partners, ***, and foreign computer security incident response teams; and
  • foreign or domestic cyber security organizations that support the protection of electronic information and information infrastructures of importance to the government and entities involved in cyber security research and development with which CSE has a partnership. Footnote 298

Internal operational policies

181. CSE's internal operational policies are known as its Mission Policy Suite. The Mission Policy Suite: Cybersecurity provides policy principles and requirements to guide personnel working under the cyber security and information assurance aspect of CSE's mandate to conduct their activities lawfully. All information acquired by CSE as part of the cyber security and information assurance aspect of its mandate is handled in accordance with the Mission Policy Suite. Footnote 299

182. Specifically, the Mission Policy Suite: Cybersecurity governs the acquisition, use (analysis), retention and disclosure of information in the conduct of CSE's operations. The policy also addresses four critical areas in the conduct of cyber defence activities:

Internal operational policies

181. CSE's internal operational policies are known as its Mission Policy Suite. The Mission Policy Suite: Cybersecurity provides policy principles and requirements to guide personnel working under the cyber security and information assurance aspect of CSE’s mandate to conduct their activities lawfully. All information acquired by CSE as part of the cyber security and information assurance aspect of its mandate is handled in accordance with the Mission Policy Suite. Footnote 299

182. Specifically, the Mission Policy Suite: Cybersecurity governs the acquisition, use (analysis), retention and disclosure of information in the conduct of CSE's operations. The policy also addresses four critical areas in the conduct of cyber defence activities:

  • CSE (and the CCCS) authority to conduct activities under the cyber security and information assurance aspect of the CSE mandate;
  • the core policy principles with which the CSE must comply when conducting activities under the cyber security and information assurance mandate - lawfulness, necessity and reasonableness, privacy protection, and transparency and accountability;
  • the electronic information and information infrastructures of importance (otherwise known as systems of importance)to the government; and
  • general accountability requirements for CCCS personnel operating under the cyber security mandate. Footnote 300

183. The Mission Policy Suite: Cybersecurity details the specific policy areas, legal obligations, and operational processes and procedures that CSE personnel must follow in the conduct of cyber security and information assurance activities. The policy is meant to enhance privacy protection measures, manage operational risks, and enhance the reasonableness and proportionality of CSE activities. Based on the Mission Policy Suite, several control measures may be applied to CSE activities, including:

  • elevated approvals: employed as a risk control measure, elevated approvals may be required for cyber defence activities that may implicate privacy, legal, operational, partnership or reputational risk for the Government of Canada; and
  • tagging and tracking of information: information acquired or disclosed to CSE is tagged to indicate its origin, and its access, use and handling requirements. Once tagged, information is tracked throughout its life cycle to control its access, retention and disposition, limitations on use and sharing. This also help CSE to fulfill its obligations under ministerial authorization.

The Mission Policy Suite: Cybersecurity also establishes how long CSE may keep information; provides a guide for CSE's compliance teams to ensure that operational personnel have disposed of data in accordance with retention and disposition schedules; identifies when information about a Canadian must be suppressed; and provides dissemination controls and permissions for limiting access to particularly sensitive information (e.g., cyber defence or intelligence reports based on highly sensitive sources). Footnote 301 The Mission Policy Suite also requires CSE to obtain consent from a federal institution or a non-federal institution designated as of importance to the government prior to deploying its sensors to those institutions. All of the policy requirements identified in the Mission Policy Suite are incorporated into the ministerial authorizations provided to CSE.

CSE cyber defence activities

184. Under CSE, CCCS is the unified and authoritative source for cyber security in Canada. CCCS was created in 2018 by amalgamating three organizations: CSE’s Information Technology Security branch, Public Safety Canada's Canadian Cyber Incident Response Centre and SSC's Security Operations Centre. CCCS is responsible to lead the government's response to cyber security events and to protect and defend Canada's cyber assets through targeted advice, guidance and direct assistance. Footnote 302 Within this broad mandate, CSE and CCCS conduct the following activities of direct relevance to cyber defence:

  • provide advice and guidance to government departments and non-government partners;
  • employ cyber defence sensors on government networks, including the monitoring, detection and response to cyber incidents;
  • employ cyber defence sensors on non-government networks; and
  • conduct defensive cyber operations.

The first two are by far the most common; the provision of cyber defence sensors to non government networks and the conduct of defensive cyber operations stem from new authorities provided to CSE in 2019 and have yet to be widely employed. Each of these are described below.

Advice and guidance

185. CSE advice and guidance falls into three general categories. The first is authoritative direction. Under the Treasury Board Policy on Government Security, CSE is designated as the lead security agency and national authority for communications security. In that role, CSE issues information technology security directives to departments subject to the policy related to the implementation of standards and practices for the protection of classified information and data, and to secure or authenticate telecommunications information. CSE issued 11 such directives between 2012 and 2019. Footnote 303 These directives must be followed and implemented by subject government departments.

186. The second is alerts, advisories, and tailored information technology advice to organizations. Alerts and advisories are provided to government departments, critical infrastructure providers and the private sector. They cover a wide variety of topics, from vulnerability notifications related to critical infrastructure control systems, to web browser vulnerability warnings, to the sharing of unclassified intelligence community updates related to the targeting of government networks and critical infrastructure by state-sponsored advanced persistent threat actors. Receiving organizations may use the information to take practical measures to defend their systems. Between December 2013 and May 2021, CSE issued 1,721 public alerts and advisories. Footnote 304

187. The third category of advice and guidance is cyber defence reports and threat assessments. These documents vary in scope, topic and classification, and are written for a range of government audiences and the public to increase awareness of the cyber threat environment. These reports and assessments range from strategic assessments (the evolution of the cyber threat environment, the activities of specific states) to operational reports (overview of threats posed by specific cyber security events and vulnerabilities) meant to assist departments in defending their systems. Footnote 305

CSE cyber defence sensors

188. CCCS has developed three types of cyber defence sensors. These are network-based sensors, host-based sensors and cloud-based sensors. Described in detail later, these sensors complement commercially available measures, such as anti-virus and firewall software, to fulfill two roles: to identify malicious cyber activity against government networks and non-federal institutions designated as of importance to the government, and to defend those networks from cyber attack. Footnote 306 Where deployed, CSE sensors form a layer of defences that constantly monitor computer systems and networks at various levels, block known threats, and identify anomalies. Information on anomalies is fed into sophisticated analytical systems to identify new, previously unknown malicious cyber behaviour. This information is then fed back into each sensor as new indicators of malicious cyber threat activity. Footnote 307

189. CSE's cyber defence sensors use*** methods for the identification of malicious cyber threat activity, including [*** Two bullets were revised to remove injurious or privileged information. ***]:

  • Threat recognition: When threats are recognized in the network or in data that CSE obtains through its sensors, an alert is generated. Based on the nature of the alert and the type of threat, a mitigation action may be triggered or CSE analysts may perform additional analysis to determine next steps.
  • Pattern detection: CSE identifies patterns of behaviour that can indicate malicious cyber threat activity by noting instances of network, host or cloud activity that deviate from expected or normal behaviour. CSE can initiate defensive mitigations based on these patterns. Footnote 308

190. Each sensor allows CSE to take mitigation actions to detect or counter a cyber threat. These mitigation actions can be done manually through interactive control by a CSE analyst or automatically through dynamic defence, that is, when verified, preset triggers respond to the presence of malicious cyber activity. Mitigation actions may include the blocking of a malicious connection at the network gateway or the removal of malware from a computer. Footnote 309 Information to identify new threats may also be reported to CSE partners and clients, inside and outside of government.

191. The deployment of defensive sensors involves two steps. The first is to obtain access to a network. Consistent with the authorities vested in individual organizations through the Financial Administration Act, CSE may only deploy its sensors with the informed consent of a network or system owner. In consenting to this access, the system owner provides CSE permission to access the network and electronic information stored therein.

192. The second step is to acquire information. CSE's sensors function by acquiring cyber threat information from the network or system in question. Because CSE cannot know in advance what data may be used maliciously, the breadth of information it acquires is extensive, including the content of traffic transiting a network (e.g., emails) and the metadata of those communications (i.e., information about a communication that can describe its creation, transmission and distribution). This information may contain private communications or information for which a Canadian or a person in Canada may have a reasonable expectation of privacy, and therefore requires a ministerial authorization (described above) to collect. Footnote 310

193. Each of CSE's cyber defence sensors have gone through phases of technical development, proof-of-concept deployment at CSE and approval to deploy to government networks. Figure 2 outlines the timeline of cyber defence sensor development at CSE. The next section details each of the sensors. [*** A chart was revised to remove injurious or privileged information. ***]

Cyber Defence Sensor Development Timeline Footnote 311
  • 2006: CSE develops the first network-based sensor
  • 2010: CSE deploys first network-based sensor to government's Secure Channel Network
  • As a result, CSE discovers Chinese, state-sponsored compromise of Treasury Board Secretariat and Finance
  • 2010: CSE develops first host-based sensor
  • 2012: CSE deploys first host-based sensor sensors to the CSE network
  • 2013: Development and proof-of-concept deployment at CSE of network-based dynamic defence capability
  • 2014: first host-based sensor deployment outside of CSE, at the National Research Council
  • 2014: first deployment of dynamic defence capability in response to HEARTBLEED
  • 2015: CSE***
  • 2017: CSE begins a pilot project for host-based dynamic defence capability
  • June 2017: CSE uses host-based dynamic defence to remove malware from a computer at ***
  • 2017: CSE develops first cloud-based sensor (a host-based sensor for cloud environments)
  • 2019: Treasury Board mandates that government departments must have agreements in place with CSE to deploy cloud-based sensors in advance of initiating a cloud residency
  • 2019: CSE***
  • 2019: CSE ***
  • 2020: The Government of the United Kingdom announces it has improved its network defences through the adoption of Canada's (CSE's) host-based sensor technology, deploying at least 100,000 sensors

Network-based sensors

194. The development of CSE's cyber defence sensors began in 2006 with *** network-based sensors. At the time, CSE operated sensors under ministerial authorization for several government departments to monitor the activity of a small number of foreign cyber threat actors, predominantly Russia and China. Footnote 312 In 2010, CSE deployed these*** sensors on the government's Secure Channel Network, which included dozens of different government organizations. Almost immediately, CSE discovered the compromise of TBS and Department of Finance networks by Chinese, state-sponsored cyber threat actors (see case study 1). In 2014, SSC approved the deployment of *** dynamic defences on its Secure Channel Network. Footnote 313 This allowed CSE to begin taking automated mitigation actions (dynamic defence) in response to significant attacks on government networks, including the 2014 Chinese attacks on the National Research Council and its portfolio partners and a widespread malware attack in 2014 (see case studies 3 and 4).

195. CSE's deployment of *** dynamic defences expanded as SSC replaced the Secure Channel Network with the Enterprise Internet Service as the government's main Internet gateway. As of May 2021, *** federal institutions were active subscribers to SSC's Enterprise Internet Service and therefore protected by these sensors. Footnote 314 CSE also has separate bilateral arrangements to provide *** dynamic defences to a number of organizations. Footnote 315

196. [*** This paragraph was revised to remove injurious or privileged information. ***] Dynamic defences are placed at entry points to a network (often referred to as a gateway, where a network connects to the Internet) to provide maximum visibility of digital traffic and information entering or exiting a government department. This allows CSE to identify threats targeting the information and networks of government departments and detect when systems have already been compromised. Not all threats are identified: malicious cyber actors may circumvent CSE's blocking. When known threats are identified, CSE's dynamic defences automatically block them at the network perimeter. As noted above, suspicious data is sent back to CSE, where it is subject to a sophisticated analytic process to identify suspicious or unusual (anomalous) behaviour. Footnote 316 When new threats are identified, CSE dynamic defences are directed to identify and block those threats thereafter. This dynamic defence of government networks is the key ingredient to successfully defending government networks, as information obtained at one department is applied to proactively defend other departments in an ongoing, continual process to strengthen government cyber defences. Footnote 317

197. CSE sensors reinforce each other's unique capabilities. [*** Two sentences were revised to remove injurious or privileged information. The sentences noted that information acquired from one sensor is analyzed by CSE to detect malicious activity and the resulting indicators of compromise are distributed to other sensors, which in turn identify the same malicious activity and trigger mitigation responses for other organizations. ***]. Footnote 318 The role of host-based sensors is discussed next.

Case study 3: Dynamic defence and the HEART BLEED vulnerability

[*** Five paragraphs were revised to remove injurious or privileged information.***] On April 8, 2014, the United States publicly disclosed a vulnerability in open source encryption tools used to secure communications over computer networks and the Internet. The vulnerability, called HEARTBLEED, could be used to obtain confidential information, such as certificates securing and encrypting Internet communications, passwords and personal information. Footnote 319 CSE and SSC assessed the information and advised government network administrators to patch the vulnerability or disable their systems until they could.

On April 9, the Canada Revenue Agency (CRA) shut down two online tax services. On April 10, the Chief Information Officer of Canada issued government-wide direction to take vulnerable servers offline until patched. On April 11, SSC approved CSE's installation of dynamic defences on its Secure Channel Network. Within one month, these defences had blocked numerous instances of malicious HEARTBLEED traffic, protecting SSC and the government organizations that subscribed to the SSC secure Internet gateway. CSE also provided telecommunications service providers information to block HEARTBLEED attacks.

Treasury Board of Canada Secretariat described this incident as one of the most serious to affect the government. At the time, the government was poorly positioned to defend its networks from cyber attack. While CSE had deployed defensive tools to SSC, Global Affairs Canada, DND and CSE itself, it had not deployed dynamic defences and it was still in the early days of building its internal automation systems. As a result, multiple cyber threat actors used the vulnerability to extract information from government networks. In total, 12 government departments suffered remote exploitation and data exfiltration, including the theft of at least 900 taxpayer social insurance numbers from CRA.

After the attack, the government identified a number of challenges that remain of interest to the Committee today. These include the need for better governance of incident management, improving government-wide cyber security processes (for example, updated direction in areas such as vulnerability and patch management, privileged account access, and accurate and automated inventory of critical government systems), and strengthening the government's network perimeter.

Many of these problems have been addressed through new Treasury Board directives, more focused incident management protocols and the creation of SSC itself, which allows for quick and mandatory patching of vulnerabilities. As will be discussed later, however, challenges persist, notably that many departments still remain outside the secure perimeter and therefore unprotected by CSE's cyber defences. This leaves their information vulnerable to the most sophisticated actors and potentially creates pathways into government departments that are inside the perimeter. In addition, Treasury Board directives, SSC security configurations and CSE guidance are not universally followed, and in one case a lack of compliance caused preventable losses of data (see case study 6).

Host-based sensors

198. CSE began the development of host-based sensors in 2010. At the time, CSE recognized that perimeter defences were only half the battle, and that an advanced cyber defence framework would require a tool that could identify the presence of advanced cyber threat activity on individual computers. Footnote 320 In 2012, CSE deployed the first host-based sensor on its own network as a proof of concept. In 2014, it deployed the first host-based sensor outside of CSE to the National Research Council and its science portfolio partners following the compromise of that agency's systems by China (see case study 4). By the end of 2014, CSE had deployed the sensor to 12 departments. Footnote 321 In 2015, it prioritized the rollout of host-based sensors to other government departments based on factors such as the likelihood that specific departments would be targeted by foreign states and where deployments would cover gaps in network-level monitoring. Footnote 322 By the end of 2020, CSE had deployed host-based sensors to*** departments, with a cumulative total of more than 500,000 host-based sensor deployments. Footnote 323 CSE has immediate plans to deploy this sensor to*** additional departments, and*** more federal institutions as part of ongoing efforts to expand host-based coverage of government departments. Current CSE planning on engagements with federal organizations would bring host-based sensor deployments to a total of*** organizations. The timeline to complete these roll-outs will vary from department to department, and will continue to prioritize organizations based on the sensitivity of the information they hold, their relative security posture and needs to cover ongoing gaps in monitoring. Footnote 324

199. Host-based sensors are deployed on computers, workstations and servers, known as endpoint devices. These deployments allow CSE to acquire (or collect) information and to subsequently take mitigation actions to counter a cyber threat. Footnote 325 *** mitigation actions can be automated with host-based sensors, allowing for real-time, dynamic defence of individual computers. [*** Two sentences were deleted to remove injurious or privileged information. The sentences explained the installation of sensors.***] Host-based sensors have the following functions:

  • collecting information from a host, which is sent via an encrypted Internet link to CSE;
  • analyzing and processing collected information to detect suspicious or anomalous activity occurring on a host machine;
  • reporting anomalies, compromises and vulnerabilities to affected departments -with that information, CSE can provide mitigation recommendations (e.g., for patching or updating machines with new software, password resets or the removal of a machine from a network);
  • removing malware from a host, either manually by a CSE analyst or automatically***
  • *** blocking or neutralizing malware; and
  • ***

200. [*** This paragraph was revised to remove injurious or privileged information. ***] Host based sensors collect several types of information. Similar to network-based sensors, this information may relate to a Canadian or to a person in Canada for which there is a reasonable expectation of privacy. As a result, host-based sensors are operated under ministerial authorization. Footnote 326

Case study 4: The need for enhanced endpoint protection

[*** Four paragraphs were revised to remove injurious or privileged information. ***] On June 18, 2014, CSE discovered a compromise of the National Research Council (NRC) by a Chinese state-sponsored actor. Footnote 327 The Chinese actor was believed to have been active since ***, and sought information related to foreign relations and trade, science and telecommunications technologies, energy and natural resources, and environment and climate change issues.

CSE determined that China had gained access to the NRC network by sending spear phishing emails to NRC email accounts, and used its access to steal more than 40,000 files. The theft included intellectual property and advanced research and proprietary business information from NRC's partners. China also leveraged its access to the NRC network to infiltrate a number of government organizations.

At the time of the attack, the NRC network was not part of the SSC-managed Secure Channel Network and neither SSC nor CSE could use their sensors to observe China's activity on the NRC network. To see what was happening, CSE deployed host-based sensors for the first time outside of CSE. At the same time, CSE updated the dynamic defences it had just deployed on the Secure Channel Network (in April, in response to the HEARTBLEED attacks) to block China's attacks on other government departments. SSC also blocked NRC's connectivity to federal organizations.

The government's response to this incident was manual, extensive, costly, months-long and grew to include multiple departments. NRC informed its clients that their data may have been at risk. The costs of mitigating this attack was estimated at over $100 million and involved a years-long effort by the NRC, SSC and CSE to rebuild the NRC network with appropriate security safeguards built in from the start.

The incident exposed a number of challenges regarding the government's ability to protect its networks from cyber attack. Most notably, it highlighted the need to better protect the government's network perimeter, reduce and consolidate the number of Internet access points in use by government departments, and provide enhanced endpoint protection (through host-based sensors) outside of CSE. It also reinforced lessons learned in HEARTBLEED regarding the need for better governance of incident management and improvements to government-wide cyber security processes (e.g., patching of vulnerable applications and better control of privileged account access).

Case study 5: An attack against the Department of National Defence

[*** Three paragraphs were revised to remove injurious or privileged information. ***] In 2017, CSE discovered that a state sponsored actor had compromised a network of the Department of National Defence (DND). The actor stole significant amounts of data and used its presence to infect other networks. DND isolated the network, CSE updated its dynamic defences to protect other departments, and both cooperated with SSC to remove the actor's presence. Footnote 328

This case study highlights important issues. The network contained several unpatched and unsupported applications and legacy operating systems, all of which were vectors of entry for the actor. Moreover, the network was not connected to SSC's Enterprise Internet Service and therefore not protected by CSE's defences. The network was, however, connected to a number of other government departments, introducing a risk of compromise to the broader government architecture had the actor been able to jump to those organizations' networks. On the other hand, CSE was able to deploy its defences and take immediate remedial action because of an existing ministerial authorization for cyber defence activities that already included DND. Footnote 329 In short, this case study underlines the dangers of maintaining unpatched, legacy systems with separate connectivity to the Internet outside of SSC's Enterprise Internet Service, and the importance of the existence of appropriate authorities to deploy necessary cyber defences.

Cloud-based sensors

201. As discussed earlier, the government is increasingly using cloud environments as part of its modernization plans for information technology systems and infrastructure. In 2017, TBS issued the Direction on the Secure Use of Commercial Cloud Services, obligating subject departments to comply with prescriptive security guardrails before receiving approval for initiating a cloud tenancy. In 2019, TBS obligated departments to include cloud-based sensors as part of their cloud implementation, and CSE and SSC started onboarding departments for cloud-based sensor deployments. Footnote 330 The deployment of cloud-based sensors was further accelerated as a result of the COVID-19 pandemic. In May 2020, TBS established service specific guardrails for Microsoft Office 365 and SSC fast-tracked, in collaboration with TBS and CSE, the migration of departments to cloud-based email and collaboration services to respond to significant demands for remote work. CSE and SSC collaborated to rapidly add cloud-based sensors to *** organizations. As a result, CSE is now positioned to provide monitoring services for all departments who transition their email services to SSC-brokered cloud services. Footnote 331

202. Cloud-based sensor deployments are meant to protect the tenancy of federal institutions in cloud environments, and to augment protection services offered by network-based and host-based sensors. Footnote 332 [*** Five sentences were deleted to remove injurious or privileged information. The sentences described CSE operations. ***]

As with network-based and host-based sensors, cloud-based sensors may collect information for which a Canadian or a person in Canada may have a reasonable expectation of privacy. As a result, deployments of cloud-based sensors are operated under a ministerial authorization.

Case study 6: A state attack against a Crown corporation and government systems

[*** Five paragraphs were revised to remove injurious or privileged information.***] In 2020, CSE discovered that a state had compromised the network of a Crown corporation. The state used its presence on the corporation's network to compromise several government departments and scan multiple others for vulnerabilities. It likely attacked other Crown corporations. CSE and SSC blocked links between the corporation and the rest of government, and determined that the state had accessed significant amounts of information. The attack was mitigated. Later, CSE discovered that the state had compromised a government department and attempted to compromise others. These attacks were also mitigated. Footnote 333

This case study highlights two issues. First, cyber defence sensors are effective, but they cannot work if they are not deployed. The Crown corporation is not subject to Treasury Board direction, did not use SSC's Enterprise Internet Service, and has yet to implement CSE's recommendation to adopt it. Second, even where a department is subject to Treasury Board and SSC direction, it can refuse it: three months prior to the state compromise, SSC shut down a department's weak single-factor authentication service only to have its decision reversed by departmental officials, despite a stronger alternative being available within two weeks. This was a key factor in the cyber attack.

Defensive cyber operations

203. Defensive cyber operations are one of the newest aspects of CSE’s five-part mandate. The operations are meant to protect the electronic information and infrastructures of federal organizations and non-federal organizations designated as systems of importance to the government. Thus far, CSE has received two year-long ministerial authorizations to conduct such operations, ***. Footnote 334 In neither case were operations actually conducted; in the first year, normal cyber defence activities successfully mitigated the threat and obviated the need for a separate operation and in the second year, planned operations had not proceeded to the operational stage. Footnote 335 As a result, the Committee limits itself to providing an explanation of these operations and may return to the issue in the future. Footnote 336

204. Defensive cyber operations require ministerial authorization. Without this authorization, defensive cyber operations would risk contravening one or more acts of Parliament (e.g. , the Criminal Code). This can include activities that involve fraudulent behaviour, falsification of materials or information, manipulation of computer hardware or software without the permission of the system owner, and interacting with threat actors at the time that actor commits an offence. Operations may be used in three circumstances:

  • when a cyber threat is of such sophistication that neither commercially available defences nor CSE’s classified sensors are sufficient to counter it;
  • when a compromise has progressed to a stage that already-deployed sensors are no longer capable of mitigating it; and
  • when a cyber threat is of such scope and scale, affecting so many federal institutions and designated non-federal entities, that deploying sensors could not be done in a timely manner to mitigate the threat. Footnote 337

205. The CSE Act requires that defensive cyber operations be conducted on portions of the global information infrastructure outside of Canada, must not be directed at Canadians or any person in Canada and must not infringe the Charter. These operations would involve *** to install, maintain, copy, distribute, search, modify, disrupt, delete or intercept anything, or interact with anyone, in order to achieve objectives of protecting government networks and those of entities designated as of importance to the Government of Canada. In practice, this means that CSE may:

  • ***
  • ***
  • ***
  • ***
  • ***

206. [*** This paragraph was revised to remove injurious or privileged information. The paragraph described CSE techniques. ***] Under the current ministerial authorizations, defensive cyber operations are conducted to achieve certain objectives, but are not meant to be used to collect information.

Results and outcomes

207. CSE measures the success and value of its cyber defence program by tracking the degree to which its sensor program is able to isolate and prevent harm to federal electronic information and information infrastructures or non-federal institutions designated as of importance to the government. This data is provided annually to the Minister of National Defence in applications for ministerial authorizations and subsequent reporting. These metrics are provided in Table 2.

Table 2: Cyber Defence Sensors; Measuring Outcomes
Year 2015-2016 2016-2017 2017-2018 2018-2019 2019-2020
Host-based sensors deployed (departments) 161,012
(***)
313,781
(***)
345,160
(***)
404,891
(***)
583,809
(***)
Network-based sensors deployed (departments) Consistent data was not available during this period. Footnote 339 Consistent data was not available during this period. Consistent data was not available during this period. Consistent data was not available during this period. *** (***)
Cloud-based sensors deployed (departments) N/A N/A N/A N/A N/A
Malicious traffic blocked (daily) 282 million 474 million 693 million 1.6 billion 1.3 billion
Compromises (advanced persistent threats) *** (***) *** (***) *** (***) *** (***) *** (***)
Compromises with extiltration of data *** *** *** *** ***
Cyber defence reports 961 1,110 2,070 1,193 4,379

Sources: Data drawn from CSE, “Ministerial Authorization Year End Report: 2015-2016”, Undated; CSE, Ministerial Authorization Year End Report: 2018-2019. Undated; CSE, “Interim Ministerial Authorization Year End Report: May 2019- October 2019,” Undated; CSE, “End of Authorization Report for the Minister of National Defence - Cybersecurity Authorization for Activities on Federal Infrastructures: August 29, 2019-July30, 2020,” Undated; CSE, HBS Deployment Priorities, October 22, 2020; CSE, “CSE Cyber Defence Activities,” Memorandum for the Minister of National Defence, June 12, 2017; CSE, CSE, “Cyber Defence Activities,” Memorandum for the Minister of National Defence, May 30, 2016; CSE, “CSE Cyber Defence Activities,” Memorandum for the Minister of National Defence, June 11, 2018; and CSE, “Activities on Federal Infrastructures,” Application to the Minister of National Defence for Cybersecurity Authorization, July 26, 2019.

208. CSE's cyber defence sensors cover a significant portion of government networks. As of November 10, 2020, CSE provides some or all of its cyber defence sensors to a total of *** federal institutions, either through those organizations subscribing to the SSC Enterprise Internet Service or various bilateral agreements including with a handful of agencies or Crown corporations not subject to Treasury Board directives. Footnote 340 As a result, Canadian government networks enjoy the most advanced cyber security measures of “any national government in the world.” Footnote 341

209. Nonetheless, many government organizations do not benefit from these protective measures deployed by CSE, as they are not obligated to do so. The total inventory of federal government organizations is 169. These include everything from commonly known departments (e.g., Global Affairs Canada), to agencies like the Canadian Security Intelligence Service or CSE, service-oriented entities (e.g., the Canada Border Services Agency), Crown corporations (e.g., Export Development Canada), and separate agencies (such as the offices of the Information Commissioner and Privacy Commissioner of Canada). Some of the organizations, including the Secretariat to this Committee, obtain their information technology services through an organization that SSC and CCCS protects. Others do not, obtaining their information technology and Internet connectivity through private sector companies. The reasons for this vary and include concerns about independence from government and cost of service, but it leaves those organizations worryingly vulnerable to the loss of their own data and to inadvertently acting as a hidden vector into the government's protected systems through electronic links maintained with related federal departments, thereby also putting the government's data at risk. The Committee discusses this issue in its assessment.

210. As part of its reporting to the Minister of National Defence, CSE tracks the number of times it has used, retained or disclosed private communications or solicitor-client communications incidentally collected under its cyber security ministerial authorizations. How CSE counts this number has changed drastically in the last several years. Far from being a simple issue of methodology, those changes reveal important things about the risks posed to Canadians' reasonable expectation of privacy by CCCS cyber defence activities.

211. Prior to 2018, CSE automatically tracked and recorded any email collection with at least one end in Canada as a private communication. This resulted in CSE reporting to the Minister on the retention of hundreds of thousands of communications. Footnote 342 In March 2015, the CSE Commissioner completed a combined review of CSE's cyber defence activities conducted under ministerial authorizations issued between 2009 and 2012 and found that the vast majority of private communications unintentionally intercepted by CSE contained only malicious code and efforts to tailor a message to entice the target to open its content. The Commissioner concluded that those intercepted private communications contained no consequential information or exchange of any personal information and therefore should not be considered “private communications” as defined by the Criminal Code. Footnote 343

212. [*** One sentence was deleted to remove injurious or privileged information. ***] CSE revised the interpretation of what constitutes a private communication under cyber security ministerial authorizations: CSE now reports fewer than 100 such interceptions a year. Footnote 344 In the CSE Commissioner's view, the previous practice distorted the privacy risk implications of CSE's cyber defence activities, while the new methodology “should provide a more accurate and meaningful measure of the privacy implications resulting from CSE activities.” Footnote 345 The fact that CSE cyber defence activities entail relatively few privacy risks to Canadians or owners of systems and networks on which CSE sensors are deployed should be an important factor for organizations that cite independence as the reason for remaining outside of the government's cyber defence framework, an issue to which the Committee returns in its assessment.

Summary

213. The Communications Security Establishment (CSE) is at the centre of the government's framework for cyber defence. It collects intelligence on threats to government systems and networks, operates a sophisticated, layered defensive network of sensors that identifies and blocks those threats, and provides direction and advice to government organizations (and increasingly, to Canadians and private sector organizations) to strengthen their own information technology security. CSE's cyber defence capabilities have evolved to counter cyber threats of increasing sophistication, and as they have been deployed to increasing numbers of federal organizations, have grown to play an ever-increasing role in the government's ability to defend its networks from cyber attack. This section discussed CSE's authority to conduct cyber defence activities, described the development and use of each of CSE's cyber defence sensors, and the internal governance mechanisms used to control those activities and to ensure CSE's accountability to the Minister of National Defence. The next section of the report describes the governance mechanisms in place to manage the conduct of cyber defence activities across government.