Public Safety Committee on March 22nd, 2018

We are prohibited from targeting Canadians anywhere, so if there is a direct correlation, and that activity is emanating from a Canadian's communications, it's off limits.

Thank you.

Maybe I'll start by answering your question, and then, again, we'll look to Shelly to further my description.

It goes back to mandate. The Communications Security Establishment's mandate is foreign signals intelligence that's not directed at a Canadian or anyone in Canada, which is a foreign focus. Suffice it to say that there are other pieces within the national security apparatus that focus on threats to Canada that may emanate from a Canadian. Some of our partners in that....

Shelly, do you want to speak a bit about how we work with partners in that regard?

Looking at terrorist activity is very much a team sport in Canada. The RCMP, CSIS, CSE, as well as others each have a role, and we work together to understand what each of us is bringing with our mandates, authorities, skills, and capabilities. In this case, it may be within the services' remit to be looking at a Canadian outside of Canada who was involved in these activities.

Our legislation currently allows us to provide an assistance role to the RCMP and CSIS. Generally it is for national security agencies and law enforcement agencies, but in practicality, it is mostly CSIS and the RCMP. In that case, if they had the authority, they could ask us for assistance in that space, and we could use our capabilities to assist them as long as it was done within the parameters of whatever legal authority they're operating under.

A key part of our mandate is around cybersecurity, and it was a core part of our mandate well before this new proposed legislation. One of the cornerstones of what we do is to try to protect, as well as we can, the Government of Canada systems and, more so even with this legislation, systems of importance to the Government of Canada.

I mentioned in my earlier remarks that right now, through the technology and people we have, CSE is deploying very sophisticated cybersecurity defences on Government of Canada networks. Those help us on a daily basis. I've already quoted that we're blocking up to a billion malicious actions per day. The magnitude of these malicious cyber-actions is extremely high, so we work every day to block those actions.

When something actually happens—and we always say that no one is immune in this environment as it's a very challenging environment—we also have a very important responsibility. We work with the implicated department, for example, and with others across government to ask how we can remediate this as quickly as possible to ensure that information is being protected and that services are back up and running.

The whole issue around publicly available information, I understand, has been considered around this table. I'll just try to perhaps add a couple of pieces to it.

For us, mandate is critical. Mandate matters, and it matters throughout the entire piece of legislation that is in front of you, and that includes publicly available information. We can use publicly available information only if it is related to our mandate, our foreign signals intelligence mandate or our cybersecurity mandate. We do not have within our legislation, currently or proposed, any mandate to focus our activities on Canadians, to have an investigative capability, to create dossiers on Canadians. That is not within our current or proposed legislation.

I would start with the fact that mandate matters.

The second piece I would relate is that, as I think has been raised before here, publicly available information—and it's defined in our act—would not comprise information that has been hacked or stolen. This is information that would be publicly available to any Canadians.

Also—

Yes.

Mr. Chair, I have to go back to the point that, even on publicly available information, it goes back to our mandate. We would access publicly available information only if it were related to our mandate, and we do not have a mandate that focuses on Canadians or anyone in Canada. For the particular case you're referring to, I understand the Privacy Commissioner is looking into it, and I guess the details around it are still unfolding, so I can speak only to our legislation. Again, it goes back to our mandate. It would be very specific: what's the case for which we would need it? Also, very much, the proposed legislation talks about two other things.

Number one, it says we'd have to have privacy protection measures in place, even for publicly available information. Number two, like every other aspect of the proposed legislation, it would be subject to review by the national Security Intelligence Review Committee. This is not CSE having the authority to go look at any publicly available information. It's very targeted and very focused on fitting within our mandate, and again, with privacy protection measures in place, and finally, with review from an independent review agency looking at all of our activities.

I hope that answers your question.

You covered a lot of territory there. Maybe I'll start with the piece about CSE being asked by the Minister of Democratic Institutions to look at this issue around democratic institutions.

I'm thinking back and I'm looking to Scott. About a year ago, in about June 2017, CSE was asked by Minister Gould, the Minister of Democratic Institutions, to look at cyber-threats to Canadians' democratic institutions. For the first time in our history we actually produced a report that's available to this committee, if you haven't seen it, which looked at broad cyber-threats to democratic institutions.

We really looked at three different aspects of that. We looked at the electoral process per se, so how the electoral machine works. We also looked at cyber-threats to politicians and political parties, and we also looked at cyber-threats to the media. We came out with an assessment at that time, about a year ago.

The Minister of Democratic Institutions now is asking us to review our threat assessment in light of changes that have occurred over the past year. Even when we put out the initial report, we said that this would probably be an evergreened report based on new information and new threat information.

That's the kind of work we expect to be doing over the coming weeks, to review our threat assessment based on information and activities that have occurred over the past year. This is refreshing it.

Again, it's focusing on our mandate, which is, again, to not focus on Canadians or anyone in Canada. I think it's recognizing that there could be incidental collection as we undertake our activities. It's also focusing on, if I understand the question correctly, how we work with foreign partners.

I'm joined here today also by our chief privacy officer and deputy chief responsible for policy and communications. Again, as privacy is part of his title, I'm going to ask Dom to speak a bit about how we work with partners and deal with private information.

Thank you for the question.

I'll stay in English and try to answer by looking at this from the angle of foreign signals intelligence.

When we collect information, you're quite right that given the nature of how communications work, we may come across information related to a Canadian. Let me use a tangible example. We're looking at known bad guy X in country Y. This bad guy X is in line with an intelligence priority of the government. It stands to reason that they're a bad person wanting to do bad things that are an affront to national security. We're collecting against this person.

Now this person, unbeknownst to us, could phone you. When we collect that, we need to understand that the resulting call becomes a private communication. The Criminal Code is very clear that it is against the law to collect a private communication.

We have ministerial authorizations that cover the various activities that we use to collect information and that allow us to keep that information, if indeed it is of national security or intelligence interest. As you pointed out, we are to delete it immediately if it doesn't. If the phone call is to you and it's talking about something that is not related to national security, we are to delete it. We annotate that. We delete it immediately, and that is reviewed by our commissioner to make sure we delete these things on an annual basis.

If indeed it has a national security interest, then we keep it, but even in keeping it, we write a report that talks about the conversation you may have had, possibly about blowing up something somewhere that is of interest to Canada. We would still protect your identity in that report, by using a generic term to render your identity illegible.

Then it comes time for information sharing. Where does our report go? Obviously there are domestic agencies within the national security apparatus here in Canada—CSIS, RCMP, and others—that have an interest in reading the report. Now they may have a legal mandate to know the identity of that Canadian, so there are procedures in place to disclose that information to them.

Similarly, when we're writing reports, some of the information is obviously shared with foreign partners, and there are other things that govern that exchange of information. Again, though, if they wanted the disclosure of that information, they would have to show us why it was imperative for them to get that information.

Of course, we're bound by other things. We have a ministerial directive, for example, which was recently reissued by our minister, related to information sharing that may lead to the risk of mistreatment. We do an analysis of what our partners want that information for and what they are going to be using it for, and we do a risk analysis to make sure it isn't going to be leading to mistreatment. There's a calculus that happens before any information is shared.

Without going into too much detail, I would say that the example you give would be within the mandate of CSIS. If that partner has information about a Canadian, we then work in partnership with CSIS.

We would look to CSIS and say, “There's information possibly about a Canadian. That is your responsibility, not ours,” in terms of following up with regard to a specific Canadian.

I'll talk quickly about the parts of CSE's mandate. From a foreign intelligence collection perspective of the mandate, we have a responsibility to collect foreign intelligence across the intelligence priorities that the government sets. To your point, those intelligence priorities definitely go beyond solely supporting military and Canadian Armed Forces function. They're looking at threats to Canada writ large, and the government of the day determines what those intelligence priorities are.

The information we're collecting is really looking at safeguarding and protecting Canadians from a wide range of threats and risks.