Evidence of meeting #93 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cse.
A video is available from Parliament.
11:30 a.m.
Commissioner, Office of the Communications Security Establishment Commissioner
Once again, that is up to the government to decide.
I know that, at one point, there were discussions to decide whether we should divide up the bill and study its various parts separately. The government decided that was not necessary. So the bill has to be studied in its entirety. That makes it more complicated, of course, but it does not stop us from making suggestions and proposing the amendments we feel are needed.
11:30 a.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Of course.
In the answers you have provided to some of my colleagues, you discussed the mandate of the CSE. Ms. Bossenmaier, the CSE chief, appeared before us, and I asked her specific questions on the proposed subclause 24(1), the first paragraph of which presents exceptions for cases of publicly available information. This concerns us, as do the paragraphs that follow. Ms. Bossenmaier mentioned that the mandate of the CSE essentially affects foreign entities, and not Canadians. I would like to ask you a number of questions about that.
First, is the mandate legal or is it understood as such by the CSE?
Also, these types of exceptions are included in the bill, but we really have yet to hear why. For example, it reads: “The Minister may, by order, designate any…electronic information or information infrastructures as…of importance to the Government of Canada.” All these matters are unclear, and we are not able to justify the scope.
I have touched on several questions, some of them in the form of comments. I would simply like to know your point of view on these subjects.
What is the mandate of the CSE? Is the bill widening its scope without us being able to justify the concrete reasons for doing so and the intended objective?
11:30 a.m.
Commissioner, Office of the Communications Security Establishment Commissioner
The mandate of the CSE is not to target Canadians or people in Canada. Under the legislation, the CSE must target foreign entities. This does not change. If by chance the CSE decided to target Canadians, it would be illegal. In my opinion, this is what gives the oversight agencies their importance, whether it is the proposed new committee or the intelligence commissioner, although I think his title should be “judicial commissioner of intelligence”, since he plays a quasi-judicial role. I am proposing this amendment, by the way.
It is necessary to consider a set of data to ensure that the role of our intelligence agencies, whose activities are partly secret, is scrutinized by monitoring agencies worthy of the name. That way, public trust in these agencies is maintained.
11:30 a.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Although the mandate isn't to target Canadians, some aspects of the bill are worrying in this regard. I'm going to address several points quickly.
Subclause 22(1) states:
22(1) The Minister may, by order, designate any electronic information, any information infrastructures or any class of electronic information or information infrastructures as electronic information or information infrastructures—as the case may be—of importance to the Government of Canada.
Although the target is foreign entities, the designated infrastructure may be in a global ecosystem and be used by Canadians.
The other thing I want to draw your attention to and get your comments on is the proposed section 23, which talks specifically about the targeting exceptions for Canadians. However, it says in proposed subsection 24(1):
24(1) Despite subsections 23(1) and (2), the Establishment may carry out any of the following activities in furtherance of its mandate: (a) acquiring, using, analyzing … publicly available information;
The following is stated further on:
Information acquired incidentally (4) The Establishment may acquire information relating to a Canadian or a person in Canada incidentally in the course of carrying out activities under an authorization issued under subsection 27(1), 28(1) or (2) or 41(1).
Despite the mandate and what is understood by the agency, there are a lot of loopholes. Canadians could be affected.
Given the exchange of information between the agencies and with our allies, particularly the Americans, and the absence of a prescription regarding the length of time the data will be retained, don't you think that risks might be incurred?
11:35 a.m.
Commissioner, Office of the Communications Security Establishment Commissioner
The executive director or the legal adviser will surely be able to answer, but just before that, I would like to clarify one point. At present—and this will still be the case if the bill is passed—if the CSE is engaging in targeting abroad and incidentally intercepts conversations or communications from Canadians, it must obtain authorization each time from the minister, who must personally authorize these activities. In addition, remember that the authorization, once granted by the minister, is reviewed by the oversight agencies. We want to ensure that everything is done in accordance with the legislation. This means that parameters are set to ensure that the activities of the agencies are legal and do not violate the privacy of Canadians.
From your question, I can see that the public is having a little difficulty in identifying certain aspects, because some of the activities are secret. That goes without saying, since these are intelligence agencies.
11:35 a.m.
Liberal
Michel Picard Liberal Montarville, QC
Thank you, Mr. Chair.
I find this fascinating. I will move directly to my questions because I want to give our guests more time to expand on the subject.
First of all, I would like a few clarifications. In your—
11:35 a.m.
Commissioner, Office of the Communications Security Establishment Commissioner
I'm sorry, Mr. Picard, but I can't hear you very well. It may be age-related; I'm not sure.
11:35 a.m.
Liberal
Michel Picard Liberal Montarville, QC
I can tell you that you don't seem 75.
In your sixth proposal, you state that the Commissioner of Intelligence should prepare a public annual report for the Prime Minister. I'm not convinced, and I would like some clarification.
In your current role, is the annual report issued to Parliament or to the Prime Minister?
11:35 a.m.
Commissioner, Office of the Communications Security Establishment Commissioner
Currently, the commissioner of the CSE that I am produces an annual report through the Minister of National Defence, which, by law, must be tabled in both Houses of Parliament within a legislated time.
Given that, according to the new bill, it is the Prime Minister who recommends the appointment of the Intelligence Commissioner, I propose that a public report be submitted every year and that, in the same way as the Minister of National Defence does currently, the Prime Minister undertakes, by law, to table it before both Houses. In my opinion, there must be a public report. The bill does not mention anything about it.
What is the purpose of a public report? First, it emphasizes the commissioner's independence. Second, it is a matter of public trust. Not only the public, but parliamentarians and commentators, too, want to know what the Intelligence Commissioner is doing.
11:35 a.m.
Liberal
Michel Picard Liberal Montarville, QC
Since you are intervening, the version submitted to the Prime Minister will have to be amended to make it public, because of the sometimes very sensitive nature of the information.
11:35 a.m.
Commissioner, Office of the Communications Security Establishment Commissioner
The commissioner is the one who does this work. That would be done in advance, much like we do today. In other words, we could produce two reports, in theory: a classified report for the Prime Minister or the committee of parliamentarians, and a public report for the general public.
I think this would be essential for ensuring public trust and accountability.
11:40 a.m.
Liberal
Michel Picard Liberal Montarville, QC
I would like to go back to another point on which the debate has been rather limited. Your second proposal concerns the famous one-year extension of the validity period of a foreign intelligence authorization.
If the activity has already been approved by you at the start and it's just a matter of validation, why is it necessary to ask for permission again for an ongoing activity? Have you taken into account the fact that circumstances are likely to change during the year and that it might make you change your mind, perhaps even to the point where you would not have allowed the mission from the outset if you had known a number of things?
January 30th, 2018 / 11:40 a.m.
Commissioner, Office of the Communications Security Establishment Commissioner
My philosophy is this: if the Intelligence Commissioner needs to approve the initial application, which is valid for one year, I don't see why he shouldn't be involved a year later when an application for renewal of the validity period is made.
Why is an application for renewal made a year later? It must be presumed that new facts have arisen, since a renewal is wanted. At that point, the agency in question will have to submit a written request to the minister, who will have to determine whether the reasons given by the agency are sufficient to authorize the one-year extension.
I don't understand the reasoning for the commissioner's involvement initially, but not for the renewal. I'll make an analogy. It's like appearing before a judge to request a search warrant. It's fine, but a year later, if you want to get an extension of the term, you have to go back to the judge and make a request. It's a bit like that.
11:40 a.m.
Liberal
Michel Picard Liberal Montarville, QC
Thank you.
I'd like to come back to your first recommendation. It's a philosophic discussion, but I can never get a grip on the principle: we're talking about active cyber operations, at worst, and defensive cyber operations. We are cautious in our choice of words when we say that cyber attacks are not made in particular circumstances.
I had a whole series of questions, but I'm going to start backwards. The first question may be a bit silly: would conducting a cyber operation targeting a foreign country constitute an act of war?
11:40 a.m.
Commissioner, Office of the Communications Security Establishment Commissioner
I'm not an expert in this area. The people from CSE should be the ones to answer your question.
I don't know if Mr. Galbraith has an answer.
11:40 a.m.
Liberal
Michel Picard Liberal Montarville, QC
Would it be an act of war, legally speaking? I think there's the whole legal aspect.
Regardless of the number of laws involved, if an organization that is a government organization by definition is conducting a foreign operation, the same way that we are victims of overseas operations that greatly justify cyber operation defensives, are we on the playing field of acts of war?
11:40 a.m.
Commissioner, Office of the Communications Security Establishment Commissioner
As a first step, with the CSE, the government determines that in the area of national and international security, it is essential to give the CSE the previously mentioned authority for active and defensive powers.
I think the mandate is very broad, and there may be implications for the charter and the privacy of people. That's why I say that there needs to be some sort of oversight from an independent body. Currently, this independent body is the Intelligence Commissioner. I don't understand why the Intelligence Commissioner should be excluded from this oversight because, supposedly, information is not being collected.
As I mentioned in my remarks, and the Department of Justice seems to agree as well, there may be implications for the charter and privacy. It seems to me that, for that reason, it would be good if any kind of oversight was done.
11:40 a.m.
Special Legal Advisor, Office of the Communications Security Establishment Commissioner
Mr. Picard, I would add that Parliament gives itself the legislation that it wants to give itself.
Bill C-44, which clarified the mandate of CSIS to act externally, also gave federal court judges the power to authorize activities abroad. This is something we would not have seen before, but which is now inserted in the Canadian Security Intelligence Service Act. These are the same reasons for the proposed new powers of the CSE. If accepted, they will become part of the legal system, even though, in the process, charter issues will need to be addressed.
11:45 a.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
Thank you, Mr. Chair.
Thank you, gentlemen.
First, thank you for the very comprehensive document you submitted to the committee. Bill C-59 is, indeed, complex to study, and the document you have provided contains very important elements.
I would like to come back to one point, the approval process.
The problem right now is cyber threats. In cyber defence, there is a maximum number of resources that can be in the know and that can counter cyberattacks. We work together on this. However, when we talk about active trading, that is, when Canada conducts cyber operations, I find that there are many levels of intervention, given the secret nature of the information. If you want to carry out an operation, you need to collect information or make computer-based interventions in the systems.
This morning, I attended the meeting of the Standing Committee on National Defence. We have heard from people who work on cyber operations. According to them, in defence, the important thing is to provide protection. In case of attacks, they will especially turn to the CSE.
According to Bill C-59, when we talk about conducting operations, we seek the approval of the Minister of Foreign Affairs. On your side, you also ask for supervision by the Intelligence Commissioner.
Don't you think there are too many people involved in secret operations?
11:45 a.m.
Commissioner, Office of the Communications Security Establishment Commissioner
It's difficult for me to answer that question, because I don't know everything it implies, operationally speaking.
However, from what I do know, since the CSE observes foreign entities, I imagine those concerned also considered that the Minister of Foreign Affairs should be involved as well, regarding active and passive cybersecurity operations. Because this is something that happens on foreign soil, we think the minister should authorize these operations, or initiate them. I don't see a problem there. However, as I said earlier, I have a problem when people say that the Intelligence Commissioner should not be involved in reviewing everything, either because of the charter or privacy issues.
11:45 a.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
For the committee's information, could you provide two examples of operations Canada could request be conducted abroad? Could that be, for instance, collecting telecommunications intelligence in particular circumstances? I'd like to hear some examples. The debate is theoretical right now, and no one wants to actually say what type of active operations Canada might need to carry out.
Could you provide some examples to us?
11:45 a.m.
Special Legal Advisor, Office of the Communications Security Establishment Commissioner
Clause 27 of the current bill concerns gathering foreign intelligence. Clause 28 concerns cybersecurity. Clause 31 concerns active measures, as you said earlier. Active measures, as defined in the law, are not meant to apply to gathering intelligence. We are not supposed to interfere with the system.
The examples are many. There could be operations for military purposes. At this time, the military would turn to the CSE to reach their goal, which is fine. The CSE could also help other agencies.
Clause 31 implies that the CSE could carry out activities that might intercept communications, for instance involving international relations. This goes beyond the framework involving other countries where operational purposes are security and defence. The term “international affairs” can mean many things.
We have to consider the fact that the commissioner will be involved in such decisions. Clause 27 would authorize the same type of information-gathering activity, and the activity will be reviewed. We do not really understand why the commissioner would be excluded when it comes to active operations. As you said, this is something new.
11:45 a.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
Since I only have one minute left, I will conclude by highlighting proposal 7, for the benefit of the members of the committee. It's an important proposal that concerns the National Defence Act. This act states that “the expected foreign intelligence value of the information that would be derived from the interception justifies it.” However, that provision does not appear in Bill C-59. So that is a good recommendation, and I thank you for it.
