Chapter 5: The Committee's Assessment
Special Report on the National Security and Intelligence Activities of Global Affairs Canada
240. In conducting this review, the Committee set out to examine GAC's national security and intelligence activities, its authority to conduct those activities and the governance of those activities. As a result, the Committee has come to understand that the Department, by virtue of its responsibility for managing Canada's international relations and global network of missions, plays an integral role in the security and intelligence community. Among its key roles, GAC works to ensure that the activities of its security and intelligence partners are coherent with the government's broader foreign policy interests and objectives; supports the collection of foreign intelligence within and outside of Canada; and advances Canada's national security interests abroad through its international security programming and its role in responding to terrorist hostage-takings.
241. However, the Committee's review of the Department's activities has revealed a significant imbalance between the Department's broad and significant roles and the governance mechanisms which underpin these responsibilities and activities. Governance is the combination of internal and external structures and processes - including formalized policies, procedures and oversight committees - that ensure continuity and institutional memory, and support decision-making and accountability. In other words, governance is the foundation upon which decisions are made, activities are conducted and accountability is maintained. The Committee identified three areas where the weaknesses in governance are most prominent: the Department's role in the government's response to terrorist-hostage-taking; GAC's support to foreign intelligence activities; and the Department's management of foreign policy risk. These areas are addressed in turn below.
Coordination of the response to hostage-takings by terrorist entities
242. The government's response to terrorist hostage-takings suffers from important challenges. Responsibility for some of these rest with GAC, the organization charged with leading the coordination of the government's response. While the Department has consistently conducted some form of lessons learned exercise following critical incidents, it is clear that the findings from those exercises are not being implemented. Many of the same challenges repeatedly arose over time, including in the most recent incidents: an absence of clear policy and governance on the parameters of the government's response; gaps in leadership and centralized decision-making throughout incidents; unclear roles and responsibilities; and the absence of an institutionalized approach. At least some of these challenges could be addressed through the development of formal policies, protocols and standard operating procedures to guide the response of the Department and its partners. The specialized unit established by the Department in 2009 to develop those very documents has heretofore failed to do so.
243. This undermines the Department's claim to "lead the coordination" of government responses to critical incidents. Based on its review, the Committee believes that the Department provides little coordination or management of the government's response, ***. Nor can it in the current circumstances. Other key organizations on the government's Task Force, namely the Department of National Defence and the Canadian Armed Forces (DND/CAF), the Canadian Security Intelligence Service (CSIS) and the Royal Canadian Mounted Police (RCMP), play significantly greater operational roles in addressing actual incidents ***. They bring to each incident an abundance of experience and operational tools, each of which is subject to distinct departmental and ministerial accountabilities. Among other things, this leads departments to individually determine their levels of effort and tends to skew the government's response towards the mandate of the organization that brings the most capabilities in a given circumstance (for example, prioritizing a criminal investigation in the case of the RCMP and military options in the case of CAF). More broadly, the Committee found that departments have grappled with ambiguities around defining Canada's national security interests for individual incidents ***.
244. It appears to the Committee that the most significant of these challenges is systemic. A theme that has been consistently raised in lessons learned exercises, and one that appears frequently in working level documents, is that successive governments have failed to establish a general policy framework to guide departmental activities and to provide specific direction at the start of each case. While GAC and its partner departments should improve their approach to these critical incidents by developing formal policies and procedures and a clear model of centralized leadership, those efforts will reach a point of diminishing returns absent accompanying systemic reforms driven from the political level. Critical incidents occur infrequently, but when they do, they have a dramatic effect on the organizations responsible for responding and the victims and their families.
Support to intelligence partners
245. The Committee was interested to learn about the Department's *** support to its domestic *** partners for sensitive intelligence collection activities. Since at least the 1980s, GAC has played a central role in facilitating the collection of foreign intelligence within Canada ***. More recently, the Department has gained an important role in requesting or consenting to cyber activities conducted under CSE's newest authorities. The activities themselves carry significant risks to Canada's foreign relations and its international reputation ***. The Committee was encouraged to see the evolution and strengthening of interdepartmental governance mechanisms since 2019 for many of these highly sensitive activities, including the collection of foreign intelligence within Canada under the Canadian Security Intelligence Service Act and the conduct of cyber operations under the Communication Security Establishment Act.
246. Given the long-standing nature of this support and the existence of robust external governance of the various activities, the Committee was struck by the near total absence of internal governance with regards to GAC's role. GAC's Intelligence Bureau, the unit responsible for the Department's contributions to these activities, has developed few policies, procedures or internal committee structures to govern and oversee GAC's role in these sensitive intelligence activities (an internal planning committee on cyber operations is the exception). Despite the Department's critical role, it does not possess formal documentation explaining how it fulfills it, which internal stakeholders are consulted when preparing a section 16 rationale *** or how risk is assessed and mitigated. GAC also has no reporting requirements in place to keep the Minister of Foreign Affairs apprised on an ongoing basis of the Department's support to other government departments ***. This absence of governance is most striking when considering the potential risks posed by these activities to Canada's foreign relations and international reputation. While the Committee recognizes that GAC is not itself collecting the intelligence, the potential impact of the exposure or discovery of the activity falls squarely on the shoulders of the Minister of Foreign Affairs to address. The absence of internal governance, most especially reporting requirements, raises concerns around the Minister's ongoing awareness of and accountability for the Department's participation in sensitive intelligence collection activities.
Managing foreign policy risk
247. Throughout this review, GAC officials repeatedly emphasized that the Minister of Foreign Affairs "owns" the government's foreign policy risk. One of GAC's principal roles in the security and intelligence community is therefore to ensure foreign policy coherence. This consists of two inter-related responsibilities: maintaining awareness of the activities of the Department's security and intelligence partners, and ensuring the broad range of Canada's interests are considered when planning these activities or determining how to respond to a given threat. The government's recognition of the importance of this role has grown since 2016 with the promulgation of ministerial direction, changes to statutes and the issuance of ministerial mandate letters, further cementing foreign policy coherence as one of GAC's principal roles in the security and intelligence community.
External governance
248. Formalized external governance mechanisms are an essential tool through which GAC seeks to ensure foreign policy coherence. This starts at embassies and missions abroad. Departmental views on the responsibilities of their staff to heads of mission abroad were relatively consistent, with one exception: the RCMP, which stated that its deployed personnel had no reporting relationship, contrary to the DFATD Act, which notes that the head of mission is responsible for the supervision of the official activities of the various organizations working at the mission. *** An incident *** further illustrated challenges in ensuring heads of missions' awareness of activities in their areas of accreditation. Departments should recognize their responsibilities under the Act.
249. More broadly, GAC builds foreign policy coherence through interdepartmental engagement. The Committee was encouraged to learn of the consultation mechanisms in place between GAC, CSIS and CSE governing the broad range of their collaboration and opportunities for further cooperation. In particular, GAC's formalized contribution of foreign policy risk assessments for CSIS activities with a foreign policy nexus, and for CSE's active and defensive cyber operations, represent a recognition of GAC's equities and shared responsibilities in security and intelligence activities with a foreign nexus. This formalization allows for clear lines of communication, transparency in the process, comprehensive risk mitigation, and channels for dispute resolution and deconfliction.
250. The formal nature of consultation among GAC, CSIS and CSE contrasts starkly with the mechanisms in place between GAC and DND/CAF. In the past three years, the two organizations have received direction from the Prime Minister and their respective ministers to strengthen and formalize consultation to ensure the foreign policy coherence of CAF deployments abroad, active cyber operations, and activities in the South China Sea. The Committee has also identified the need for enhanced consultation between DND/CAF and GAC to ensure foreign policy coherence of the CAF's defence intelligence activities. While the Committee commends ongoing efforts to develop consultation mechanisms in response to ministerial direction, it notes that they remain in nascent stages of development over three years after the Prime Minister's direction. Officials from both organizations emphasized the frequent communication at all levels of their organizations on the broad range of their activities, but the Committee continues to believe that formal and properly documented consultation mechanisms would help to ensure the necessary degree of transparency, risk mitigation and deconfliction for DND/CAF's activities abroad.
Internal governance
251. Robust internal governance is equally important. However, similar to the Department's activities in support of its intelligence partners, the Committee identified significant weaknesses in the Department's internal mechanisms to govern its foreign policy coherence role. Aside from approvals templates drafted in 2021, the Department has not developed internal formalized policies, procedures or committees to guide, implement and oversee GAC's provision of foreign policy risk assessments to other departments. The importance of documentation also provides a valuable basis to understand the process by which the organizations arrived at their assessment, effectively ensuring both transparency and accountability in decision-making. While GAC officials explained their internal risk assessment process to the Committee and highlighted their internal consultations, the absence of formal documentation leaves the Committee unsure about the rigour and consistency over time of the Department's risk assessment process. To reiterate what the Committee noted earlier, these processes should support the accountability of the Minister: accountability is attenuated when they are weak or absent. Moreover, the absence of formalized processes and documentation has broader implications for partner organizations. CSIS and CSE's overall risk assessments involve a rigorous methodology and strict documentation requirements, but rely in part on GAC's assessment of risk. GAC's ad hoc process may introduce weaknesses into the government's broader assessment of risk, thereby undermining the viability of operations and activities.
Internal and external comparators
252. Weaknesses in governance are most striking when compared with GAC's intelligence partners. The Department collaborates with CSIS and CSE on a range of sensitive intelligence activities, from the collection of foreign intelligence within Canada under the CSIS Act *** and active and defensive cyber operations under the CSE Act. For all of these programs, CSIS and CSE have developed clear policies, detailed procedures and oversight committee structures to govern their contributions to the activities they conduct in partnership with GAC. Similarly, their internal risk assessment processes include rigorous methodology and documentation requirements for internal consultations. Finally, both organizations are required to report regularly to their respective ministers on the range of their activities. The Committee recognizes that, unlike GAC, CSIS and CSE have authorities that are grounded in statute and their activities have been subject to review for decades. Their respective statutes impose a number of governance and reporting requirements, and decades of dedicated review has encouraged them to develop and refine their governance practices over time. Notwithstanding their different mandates and authorities, the Department should look to these organizations for guidance in building its own internal governance mechanisms.
253. The Department should also look within. The Committee views GAC's international security programming divisions as a model of governance across the Department's national security and intelligence activities. These divisions have developed terms and conditions for each of their programming areas that outline eligibility criteria for individual projects, and processes for project proposal, review and approval. They are overseen by a tiered committee structure that provides input from broad strategic direction to direct project oversight. The programs undergo annual priority reviews and regular internal audit and evaluation. Unlike GAC's Intelligence Bureau, GAC's international security programs are subject to the program evaluation requirements under the Financial Administration Act and the Treasury Board Policy on Results. Similar to CSIS and CSE, these statutory requirements and regular evaluations have allowed these programs to refine and improve their governance practices over time. The Committee recognizes that the nature of the international security programs differs from that of the Intelligence Bureau, but believes that the governance mechanisms themselves can serve as a valuable internal example of the value of clear and transparent processes.
Consistency, institutional memory and accountability
254. In all of its previous reviews, the Committee has placed considerable emphasis on the importance of governance. Governance is the Committee's most significant concern here. The reason is simple: governance serves accountability. Governance mechanisms create a clear link between a minister's authorities and the activities conducted under those authorities, and they provide the necessary documentation and transparency to account for decisions. In turn, strong governance mechanisms - ministerial direction, formalized policies and procedures, oversight committees and regular reporting requirements - ensure consistency and institutional memory inside an organization. The development and documentation of processes and procedures ensure that proper processes and practices are built into a system, without relying on the good judgment of any individual official. The Department falls short in both areas. The Committee addresses each in turn.
255. Ministerial accountability is weakened by the absence of formalized and regular reporting requirements. The Department has few reporting requirements in place for the Minister of Foreign Affairs for its national security and intelligence activities, including those under section 16 of the CSIS Act, *** the foreign policy risk assessment process, and foreign arrangements under the CSIS Act and the CSE Act. Instead, the Minister of Foreign Affairs provides their approval for a foreign intelligence target *** or a foreign arrangement, but no formal mechanism exists to keep the Minister apprised of those activities and their associated risks. The absence of reporting mechanisms may limit the Minister's understanding of the full scope of the Department's national security and intelligence activities, how they have changed, and the evolving risks associated with them, effectively undermining their ability to account for the activities over time (as a recent example, GAC did not notify the Minister ***). While the Department noted that the Minister is briefed regularly on the Department's sensitive activities, it acknowledged that the gap in formal reporting requirements would be addressed through forthcoming ministerial direction. Footnote 518 The Committee commends GAC's recognition of this gap, but emphasizes that ministerial direction is only one part of a broader suite of policies, procedures and oversight structures that form a mature governance framework.
256. Furthermore, the informal and ad hoc consultation within the Department weakens consistency and institutional memory of its contributions to the security and intelligence community. The issue of consistency applies most clearly to GAC's role in ensuring foreign policy coherence. Notwithstanding GAC's assurances that the Department consults all relevant internal stakeholders during its internal risk assessment process, including geographic desks and heads of mission, the absence of any policies or documentation of consultation makes it difficult to determine whether these practices are applied consistently over time and across cases. The same is true for the Department's contributions to national security reviews under the Investment Canada Act, where internal consultation process are ad hoc and relevant stakeholders are determined on a case-by-case basis. The challenges of consistency and institutional memory are exacerbated by the Department's human resources systems. Staffing within the Department is partly rotational, which means that a portion of its employees changes roles every two to three years. In the context of frequent staff rotation, documented policies and procedures are even more critical to ensuring that officials are aware of past practice and able to ensure the quality and rigour of processes on an ongoing basis.