Thank you and good afternoon, Mr. Chair and members of the committee.
My name is Dominic Rochon, and I am CSE's deputy chief for policy and communications. I'll add that I have the distinction of being CSE's chief privacy officer and the delegated authority under the Access to Information Act and the Privacy Act. It is a pleasure to appear before you today as you continue your study of the Security of Canada Information Sharing Act, otherwise known as SCISA.
I’ve been invited here today to clarify the mandate of the Communications Security Establishment, or CSE, and to provide insights into how CSE protects the privacy of Canadians while engaging in activities that ultimately protect Canadians from foreign threats.
For committee members unfamiliar with CSE and CSE's history, I can tell you that CSE has been in the business of protecting Canadians for over 70 years. Protecting the privacy interests of Canadians and persons in Canada has always been integral to the performance of this mission.
Let me first start by explaining our mandate and the work that CSE does to protect Canada. Our mandate consists of three parts, as defined in the National Defence Act. The first part, referred to as part (a), authorizes CSE “to acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities”.
I emphasize “foreign” because CSE only directs its activities at foreign communications. CSE is prohibited by law from directing its activities at Canadians anywhere or at anyone in Canada.
CSE produces valuable intelligence under part (a) of its mandate. For example, CSE provides vital information to protect Canadian troops in Iraq as they contribute to the global coalition to dismantle and defeat Daesh.
In addition, CSE’s foreign signals intelligence has also played a vital role in uncovering foreign-based extremists’ efforts to attract, radicalize and train individuals to carry out terrorist attacks in Canada and abroad.
The second part of our mandate, known as part (b), authorizes CSE “to provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada”. This part of our mandate authorizes CSE to protect Canada from the growing cyber threat.
Cyber threats used to be the exclusive domain of nation-states. That is not the case anymore, as malicious cyber tools become easier to obtain and the motivations for malicious actors become more diverse. In this rapidly changing threat environment, the services of CSE have become increasingly important.
Across the government, CSE is protecting 700 million connections daily from a user population of about 377,000 people. Every day we block over 100 million malicious attempts to identify vulnerabilities and to penetrate or compromise Government of Canada networks. CSE also shares cyber threat information with Public Safety Canada for further dissemination to the private sector in order to protect the intellectual property of Canadian businesses.
Finally, the third part of our mandate, referred to as part (c), authorizes CSE to provide technical and operational assistance to federal law enforcement and security agencies in support of their lawful mandate. This part of the mandate is important for Canada's national security given that CSE possesses unique skills and tools not found in other government departments, particularly in the area of encryption. We know, for example, that terrorists are adaptive and tech-savvy. They use cutting-edge technology, smartphones and messaging applications to communicate. They also use very advanced encryption techniques to avoid detection.
As a result, the threat puzzle that intelligence agencies try to piece together is not always straightforward and requires co-operation to solve—a reality, in fact, highlighted in the preamble of SCISA. Sharing foreign intelligence and cyber threat information with our domestic partners is crucial to a whole-of-government approach to protecting Canadians. It is by sharing intelligence that we warn the Government of Canada about the intentions and capabilities of those beyond our borders who mean us harm.
When doing so, Canadians and persons in Canada cannot be the focus of CSE's activities, and CSE must apply measures to protect the privacy interests of Canadians included in any information being shared. These privacy measures take the form of rendering Canadian identifying information found in the intelligence being shared unintelligible, leaving it to the receiving Government of Canada department or agency to demonstrate a need for that information and the authority to receive it.
Although information sharing is essential to protecting Canada’s security, CSE recognizes that the sharing of information could potentially touch upon fundamental rights and freedoms, particularly the right to privacy.
I want to stress that, not only is protecting the privacy of Canadians a fundamental part of CSE's organizational culture, it's also enshrined in CSE's mandate. The National Defence Act directs CSE to protect the privacy of Canadians in the use and retention of information.
As such, CSE has multiple policies, structures and processes in place to ensure continued adherence to privacy laws and policies.
These structures include executive control and oversight, operational policies, procedures and compliance measures, an on-site legal team from the Department of Justice, and active ongoing monitoring of internal processes. CSE's privacy framework includes operational policies that set out specific handling processes, retention periods, and sharing guidelines. These policies also allow for the validation, tracking, and auditing of information received.
CSE also provides regular training and testing for staff on our mandate, privacy rules, and compliance. In addition, all of CSE's activities are subject to robust, external, expert review by the independent CSE commissioner. The CSE commissioner, who is usually a supernumerary judge or retired judge of a superior court, has full access to CSE employees and records.
I would also like to add that the CSE commissioner has all the power of the commissioner under part II of the Inquiries Act, including the ability to inspect any records held by CSE and the power to subpoena CSE employees to provide information.
The work of the CSE commissioner has had a positive impact on CSE's accountability, transparency and compliance. It has also led to CSE strengthening a number of its policies and practices. The Office of the CSE Commissioner staff regularly interact with CSE employees when conducting reviews. Since 1996, CSE has accepted and implemented all the CSE commissioner’s privacy-related recommendations.
Though much of what we do is classified, we are committed to becoming more open and transparent about how we protect Canadians' security and their privacy. We know that openness is crucial to ensuring public trust in what we do, and as the government pursues its overall national security agenda, we continue to be forthcoming about our operations.
With respect to SCISA, you are aware that SCISA lists CSE as an entity that can receive information from another Government of Canada institution. I want to emphasize that SCISA does not supersede or expand CSE's authorities to collect or receive information from our domestic partners. To date, CSE has not relied on SCISA to receive or disclose information. CSE's existing procedures and processes to authorize and manage information sharing meet or exceed those set out in SCISA.
When sharing information, CSE currently relies on authorities under the National Defence Act. Information sharing at CSE is undertaken in accordance with the provisions of the Privacy Act. CSE's established information-sharing arrangements are set out in information-sharing agreements with our domestic security and intelligence partners.
CSE may also receive information from Government of Canada agencies under the National Defence Act and the Privacy Act authorities when relevant to its mandate, although the need to receive information is minimal considering CSE cannot direct its activities against Canadians or persons in Canada.
I should add that the CSE commissioner does conduct an annual review of our information-sharing disclosure activities, and to date he has always found that these activities were done in compliance with the law.
I'll conclude my remarks by stating that I am confident in our ability to fulfill our mandate while safeguarding the privacy of Canadians. My confidence stems from both the rigorous legal and policy frameworks in place to protect the privacy of Canadians, and the professionalism and commitment of CSE's highly skilled workforce.
Thank you for inviting me here today. It would be my pleasure to answer any questions you might have.