Chapter 3: Global Affairs Canada's Facilitation Role
Special Report on the National Security and Intelligence Activities of Global Affairs Canada

86. Beyond its role in ensuring foreign policy coherence, GAC is an important partner in several of the security and intelligence community's most sens itive activities. The Canadian Security Intelligence Act (CSIS Act) and the Communications Security Establishment Act (CSE Act) grant the Minister of Foreign Affairs a role in the collection of foreign intelligence with in Canada and the conduct of cyber operations. The Department's management of Canada's diplomatic relations and foreign missions, in turn, renders it a player in intelligence collection activities abroad. While GAC is a *** beneficiary of much of the collected information, this function also carries risks. The Minister of Foreign Affairs is responsible for managing the risks these activ ities pose to Canada's bilateral and multilateral relations, international reputation, and the safety and security of Canadian personnel and assets abroad.

87. This chapter examines GAC's role in fac ilitating the activities of its security and intelligence partners. It describes the nature of the activity; the Department's role in the activity; and the governance of the act ivity both across organizations and within the Department.

The collection of foreign intelligence within Canada

Background and authority

88. Section 16 of the CSIS Act is the authority for the collection of foreign intelligence within Canada. Footnote 190 The Act grants the ministers of Foreign Affairs and of National Defence the authority to request the assistance of the Canadian Security Intelligence Service (CSIS) in the collection of informat ion on the capabilities, intentions or activities of foreign states or individuals in relation to the conduct of international affairs or national defence within Canada. Footnote 191 Under this authority, the Minister of Foreign Affairs can request information in support of any matter within their broad mandate. [*** Three sentences were deleted to remove injurious or privileged information. The sentences described types of requested information, techniques and targets. ***] Footnote 192 Footnote 193

The Department's role

89. [*** This paragraph was revised to remove injurious or privileged information. ***] GAC is one of two possible sources of requests for section 16 intelligence collection. Footnote 194 The Department launches the process, consults with CSIS and then drafts a rationale outlining information on the specific details contained in the rationale. Footnote 195 Footnote 196 Footnote 197 A committee considers the rationale and decides whether to recommend the section 16 target for approval to the requesting minister. Should the Minister of Foreign Affairs agree, the Department prepares the formal request to the Minister of Public Safety. If the Minister of Public Safety consents to the request for assistance, he or she directs CSIS officials to begin collection. Finally, CSIS officials may seek a warrant from the Federal Court incorporating the rationale provided by GAC.

90. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described targets, collection requirements and risks. ***] Footnote 198

Interdepartmental governance

91. The governance structure for the section 16 program has evolved considerably since the authority came into force in 1984. The program's initial governance, in place from 1987 to 2008, did not include any formal procedures, oversight committees or criteria against which collection requests were evaluable and approved. Footnote 199 In 2008, officials from participating organizations introduced a formalized governance model, which included a requirement to assess potential subjects against criteria linked to Canada's intelligence priorities and a permanent oversight committee structure (the *** Committee) with the responsibility to evaluate and endorse section 16 rationales before they are submitted for approval to the relevant ministers. Footnote 200 The new system established the Privy Council Office (PCO) as the central governance body for section 16 and as chair of the *** Committee.

92. The governance structure of the section 16 process was further refined in 2020. In December 2020, the *** Committee finalized its terms of reference, which laid out its mandate and membership, and the roles and responsibilities of participating organizations. Footnote 201 The document also outlines the *** Committee's accountability structure. Under this structure, *** committee is responsible for reviewing the committee's operating procedures and information handling and dissemination standards related to section 16, and for discussing issues related to section 16 litigation at the Federal Court. The *** committee meets to review requests, and to discuss section 16 priorities and keep deputy ministers informed of important issues. The *** committee is supposed to meet annually to review the *** requirements and intelligence priorities (although no information was provided to confirm that these meetings take place). The committee also developed standard operating procedures to guide the *** process *** and developed a handling and dissemination standard for intelligence collected under this authority. Footnote 202

93. [*** This paragraph was revised to remove injurious or privileged information. ***] As part of these efforts, the Committee introduced a documented risk assessment process. Until 2020, foreign policy risk assessments for proposed section 16 targets were not documented as part of the rationale or the approval process. Footnote 203 Rather, on deciding to endorse a section 16 target, the committee chair would orally confirm that officials were aware of the risks of undertaking the collection and comfortable with mitigation measures in place. Footnote 204 Footnote 205 In 2020, the Committee formalized the risk assessment process with the introduction of assessments that officials from the requesting department (GAC or the Department of National Defence) and from CSIS were required to complete. Footnote 206 Importantly, however, the results are only considered by the Committee; they are not included by GAC as part of the rationale submitted for Ministerial approval.

Internal governance

94. GAC's role in the section 16 process involves multiple steps, including the initial request, the rationale and the foreign policy risk assessment. While the committee's standard operating procedures provide some detail into GAC's internal processes, including key considerations and consultation requirements for risk assessments, the Department itself does not have any policies, procedures or guidelines governing GAC's role in this process. The Department also does not have any requirements in place for reporting to the Minister of Foreign Affairs on the information collected under section 16, outside of the *** target renewal process.

95. By way of comparison, CSIS has developed a number of policies, procedures and guidance documents on its role and responsibilities under the section 16 process. CSIS's *** is the most relevant. Footnote 207 This document outlines CSIS's foreign intelligence mandate and authority, and the various steps of the section 16 process, including a delineation of roles and responsibilities of various units within CSIS, as well as the program's interdepartmental governance structure. CSIS has also implemented specific policies related to compliance requirements for section 16 activities. Footnote 208 CSIS's section 16 activities are included under its policy ***, which outlines the agency's principles of lawfulness, proportionality and effectiveness that govern its activities, the various operational tools at its disposal, risk factors and potential mitigation measures, and the warrant application process. Footnote 209 Finally, CSIS reports annually to the Minister of Public Safety on a number of operational activities. Footnote 210 Its reporting includes a list of section 16 targets, and the nature and value of intelligence collected against them.

Legal challenges

96. [*** This paragraph was revised to remove injurious or privileged information. ***] In the past three years, the section 16 program has faced legal challenges in the Federal Court that undermine the effectiveness of the program and its ability to provide intelligence of value. Specifically, the Federal Court refused to authorize certain intelligence collection techniques under section 16 warrant applications over concerns that the proposed collection activity would occur outside of Canada, effectively violating the "within Canada" limitation under the Act. Footnote 211 This increased scrutiny and strict interpretation of the "within Canada" limitation by the Federal Court raises concerns about CSIS's continued ability to acquire warrants that will be effective in collecting foreign intelligence. Footnote 212 This challenge will likely worsen as global trends continue.

Active cyber operations

Background and authority

97. The CSE Act granted new authorities to CSE and created a key role for the Minister of Foreign Affairs. One of these new authorities allows CSE to conduct active cyber operations to degrade, disrupt, influence or interfere with the capabilities or intentions of foreign entities. Footnote 213 The Minister of National Defence authorizes these activities through the annual issuance of ministerial authorizations. Footnote 214 Active cyber operations can have broad objectives, including in pursuit of Canada's foreign, defence or security interests. They also carry important foreign policy risks, including potential damage to Canada's bilateral or multilateral relations, or potential violations of the country's international legal commitments in cyberspace. Footnote 215 In recognition of the foreign policy implications of these activities, the Act stipulates that the Minister of National Defence may issue this authorization only if the Minister of Foreign Affairs has requested or consented to its issue. Footnote 216

The Department's role

98. In the two years since the authority has been in place, GAC's role has been to contribute to the development of ministerial authorizations and provide foreign policy risk assessments. The Minister of National Defence issued CSE's first authorization for active cyber operations in 2019. Footnote 217 CSE officials developed this ministerial authorization in close consultation with GAC . Footnote 218 In recognition of the potential risks posed by this new authority, the authorization ***. Footnote 219 At the operational level, GAC is responsible for providing foreign policy risk assessments in writing to CSE for each planned active cyber operation. Footnote 220 GAC's risk assessment considers the operation's potential impact on Canadian interests, its compliance with international law and cyber norms, its alignment with broader foreign policy interests and the nature of the target ***. Footnote 221 Between 2019 and 2020, CSE planned four active cyber operations and carried out one. Footnote 222

Interdepartmental governance

99. In August 2019, the Minister of Foreign Affairs directed GAC officials to work with CSE to develop a formal governance mechanism to ensure CSE's cyber operations align with Canada's foreign policy and international legal obligations. Footnote 223 In the subsequent year, officials from both organizations built on their existing consultation mechanism to create the CSE-GAC Active Cyber Operations/Defensive Cyber Operations Working Group and a comprehensive governance framework for consultation on cyber operations (GAC and CSE's consultation mechanism and CSE's defensive cyber operations are discussed at paragraphs 62-64). Footnote 224 The working group is the central forum for communication and collaboration on active and defensive cyber operations, including for the development of ministerial authorizations. CSE and GAC co-chair regular working group meetings, which are held at the director general-level. The group includes representation from CSE ***, the Department of Justice, the Department's legal services unit, and various units with the Department. Over the course of its work, the working group developed a governance framework for the conduct of cyber operations. The framework outlines the procedures for the provision of GAC's foreign policy risk assessments ***. Footnote 225

100. The National Security and Intelligence Review Agency (NSIRA) conducted a review of CSE's ministerial authorizations and ministerial orders in 2019. As part of this review, it examined the ministerial authorization process for CSE's active cyber operations and made one finding and one recommendation relevant to the governance of that process. Specifically, NSIRA found that CSE and GAC did not sufficiently document their consultation on letters of consent from the Minister of Foreign Affairs to the Minister of National Defence. The agency recommended that CSE ensure the consultation process with GAC for cyber operations be documented "as precisely as possible to allow for an easy verification of its compliance with the sequencing required in the Act." Footnote 226

Internal governance

101. Documentation on GAC's internal governance of its role in cyber operations is contained in the working group's governance framework. As mentioned, the document outlines ***. The document also includes GAC's internal foreign policy risk assessment chart, which lists the Department's key risk considerations, namely domestic and international legal obligations, the impact on bilateral and multilateral relations and reputation, and the possible threat posed to GAC's network of missions and personnel abroad. Footnote 227 The document also lists the divisions to be consulted in the process, including the Department of Justice, the Department's legal services unit, *** and various groups within the Department. The Department has not developed other policies, procedures or guidance on its role in CSE's active cyber operations. The Department does not have any requirements to report to the Minister on its activities with respect to active cyber operations; however, it produced its first Annual Foreign Cyber Operations Report for 2021, which was briefed to the Minister in March 2022. Footnote 228

102. By way of comparison, CSE's internal governance for cyber operations is a combination of internal oversight committees, policies and a comprehensive risk assessment framework. First, the Cyber Operations Group and the Cyber Management Group oversee CSE's cyber operations. Footnote 229 These are executive bodies, at the director - and director general-level respectively, that review and approve cyber operation plans and risk assessments. The Director of *** and the Deputy Chief of Signals Intelligence chair the respective committees, and membership depends on ***. Participants are responsible for representing concerns and considerations from their respective areas of expertise, provide a challenge function for operations, and communicate decisions or information to relevant parts of the organization. CSE's Mission Policy Suite: Cyber Operations, in turn, explains the agency's authorities and core principles, provides guidance on the conduct of cyber operations, describes the broader governance framework surrounding these activities, and explains the agency's compliance and review responsibilities. Footnote 230 Finally, CSE's SIGINT [signals intelligence] Operations Risk Acceptance Form outlines the agency's comprehensive risk assessment process. The form includes requirements for records of consultation with relevant internal and external stakeholders, and questions on privacy protection, compliance and various risk factors.

103. CSE's ministerial authorization for active cyber operations describes in detail the agency's reporting requirements to the Minister of National Defence and the Minister of Foreign Affairs. Footnote 231 The authorization requires the Chief of CSE to update the Minister of National Defence every three months on CSE's active cyber operations. The Minister of National Defence can share this information with the Minister of Foreign Affairs. The authorization also requires CSE to provide the Minister of National Defence with a report on the outcome of the activities carried out under the authorization, including the number of operations conducted, the value of those operations and any serious implementation challenges, within 90 days after the expiry of the authorization. CSE also provides this report to the Minister of Foreign Affairs.

***

Background and authority

104. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described a program. ***]. Footnote 232 Footnote 233 Footnote 234 Footnote 235

105. GAC states that it derives its authority for the program from the Crown prerogative. [*** This rest of this paragraph was deleted to remove injurious or privileged information. The paragraph described an authority. ***]. Footnote 236 Footnote 237

The Department's role

106. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described the department's role. ***]. Footnote 238

107. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described the department's role. ***]. Footnote 239 Footnote 240

108. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described the department's role. ***]. Footnote 241

Governance

109. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described governance mechanisms. ***]. Footnote 242 Footnote 243

110. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described governance mechanisms. ***]. Footnote 244 Footnote 245 Footnote 246

Internal governance

111. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph noted that the Department does not have any policies, procedures or documents to govern its involvement, and does not have any reporting requirements to the Minister. ***]. Footnote 247

112. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph noted challenges regarding the management of risk. ***]. Footnote 248 Footnote 249 Footnote 250

113. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described how another organization approached the management of risk. ***]. Footnote 251 Footnote 252 Footnote 253 Footnote 254 Footnote 255

The future ***

114. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph noted the Department's failure to inform the Minister of important issues. ***]. Footnote 256 Footnote 257 Footnote 258 Footnote 259 Footnote 260

Logistical support ***

Background and authority

115. The final element of GAC's facilitation role concerns the Department's infrequent but critical provision *** The Department's authority to provide this support derives from the Crown prerogative.

***

116. GAC provides ***. Footnote 261 Footnote 262

117. GAC has no written policies, procedures or guidelines in place to govern its provision of *** with one partial exception. In 2021 , the Department developed a one-page document outlining the internal process ***. Footnote 263 ***. Footnote 264

***

118. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described a process. ***]. Footnote 265 Footnote 266

119. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described GAC's role in a process, and that it lacked policies or procedures to manage its role. ***]. Footnote 267

***

120. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described GAC's role in a process, and that it lacked policies or procedures to manage its role. ***]. Footnote 268 Footnote 269 Footnote 270

***

121. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described GAC's role in a process, and that it lacked policies or procedures to manage its role. ***]. Footnote 271 Footnote 272 Footnote 273