Public Safety Committee on Jan. 30th, 2018

We are studying all of the aspects and following the development of the committee of parliamentarians. We are meeting with CSIS and CSE with respect to how they're preparing and, to the extent that we can, we are keeping abreast of their work in developing the new authorities that they may have.

I'm happy to go first. Thank you, Mr. Chair, and thank you to the committee for this invitation.

My prepared remarks are about the CSE and CSIS bulk data collection.

In his testimony to this committee, Professor Craig Forcese made a very important point about the thresholds for authorizations for CSE data collection.

Proposed section 23 of what would be the new CSE act sets out that activities carried out by the CSE in relation to its various mandates must not be directed at Canadians or persons in Canada. This is of course a continuation of the current situation in which the CSE is required not to direct its activities in this fashion.

Nevertheless, it is well established and conceded that the information of Canadians and persons in Canada is collected, because some collection, and by no means insignificant collection, is unavoidable due to the complexity of communication networks. Thus, Canadians' information is collected incidentally or unavoidably.

Part of the new regime proposed for the protection of Canadians' privacy interests is to require that the CSE seek a ministerial authorization that is then approved by the intelligence commissioner. The trigger that initiates this process of authorization and intelligence commissioner vetting would occur when the CSE's activities would otherwise contravene an act of Parliament.

We agree with Professor Forcese that this trigger is under-inclusive, a view that is now echoed by Citizen Lab, the Canadian Internet Policy & Public Interest Clinic, and others.

As Professor Forcese notes, there is concern that the proposed threshold would not ensure that the authorization process would, for example, be initiated for activities that incidentally collect Canadians' metadata, which is obviously of critical importance.

Craig Forcese proposes a more expansive trigger, in which the authorization process is required for activities that would otherwise contravene any other act of Parliament or “involve the acquisition of information in which a Canadian or person in Canada has a reasonable expectation of privacy”, a threshold that has already been referenced.

Our problem with this proposed addition is simply this: that the question of what precisely attracts “a reasonable expectation of privacy” is typically the central dispute in almost any emergent privacy issue, and this threshold would be adjudicated internally by the CSE.

We know, not least from years of reports from the CSE commissioner, that disputes over the interpretation of legal standards and definitions have been of ongoing concern, and national security activities in general are plagued with the “secret laws” problem of having words in a statute or directive interpreted in sometimes obscure or deeply troubling ways, and ways that may not be unearthed for years. Therefore, a trigger that involves a colourable definition is inherently problematic, in our view.

However, we read the latest CSE commissioner's report as indicating that the CSE has conducted its signals intelligence activities under just three ministerial authorizations since 2015. It appears that these authorizations tend to authorize a broad sphere of activities. Our understanding that the frequency and scope of “incidental collection” suggests that most, or even all, of the authorizations are apt to at least implicate Canadians' data. In other words, there are only a small number of authorizations, and almost all are apt to require the authorization regime of vetting by the intelligence commissioner.

Surely, then, it is best and still entirely feasible and efficient—to ensure that this authorization process does indeed examine everything that we are hoping it will—to simply have one uniform process of authorization approval by the intelligence commissioner for all classes of activities undertaken outside of the technical and operational assistance mandate, which is, as you know, its own sphere of activities.

For everything else, we recommend that the question of threshold be resolved by eliminating the need for a threshold and ensuring that every class of activities authorized be subject to the new accountability procedure of ministerial authorization and vetting by the intelligence commissioner.

I will turn now to bulk data collection by CSIS. It was most certainly our concern coming out of the national security consultation that the government response to the CSIS bulk data scandals, if you will, would be to simply empower the agency to do what it had previously been doing unlawfully without having a meaningful democratic debate about mass data acquisition in the context of national security. We certainly appreciate that having bulk data collection squarely on a legislative footing does improve transparency, but we are deeply concerned with the low threshold that is proposed in Bill C-59 and that this critically important matter is, quite frankly, receiving insufficient attention in the context of a large omnibus bill.

It was only recently that SIRC did its first-ever audit of the bulk data collection programs of CSIS. SIRC is of the view that appropriate bulk data collection by CSIS can occur under CSIS's current section 12 standard of strict necessity for data collection. In our view, it is hard to imagine a body that would be better positioned to assess this, both from the perspective of accountability and respect for the rule of the law and from the perspective of the operational needs of CSIS.

SIRC's proposal for the standards and criteria for bulk data collection is a three-part test: that there be a clear connection to a threat to the security of Canada, that no less intrusive means are available, and that there be an objective assessment of intelligence value.

Now, compare that standard with the standard set out in Bill C-59. Bill C-59 allows CSIS to collect publicly available datasets, with no definition of that term, on the basis of a bare relevance standard. With respect to Canadian datasets—which, we need to remember, are expressly defined as datasets that contain personal information expressly acknowledged as not directly and immediately relating to activities threatening the security of Canada—the test for their acquisition is simply that the results of their querying or exploitation could be relevant and that this assessment must be reasonable.

It may be argued that this vast scope for bulk data collection is at least mitigated by the requirement for judicial authorization for the retention of those datasets, but rather than providing significant gatekeeping, this authorization simply compounds the effects of the very low standards that lead up to it. Personal information that does not directly and immediately relate to threats to the security of Canada is allowed to be collected if it “could be relevant”, if this assessment is “reasonable”, and if the judge then decides that the dataset can be retained on the standard of “is likely to assist”.

These, then, are the thresholds of what most Canadians would call mass surveillance, and we believe most Canadians would reject these thresholds as shockingly low standards. Thus, a genuine opportunity to meaningfully shape these surveillance practices is being squandered in Bill C-59.

The proposed standard represents a mass erosion of the privacy protections from the strict necessity standards that currently apply. We recommend that the CSIS bulk data provisions be revised to be expressly within the strict necessity standard, and not in exception to it, and that the criteria for bulk data collection, such as that fashioned by SIRC as implicitly principled and workable, be set out within the legislation.

Those are our prepared remarks. Thank you.

Thank you very much, Mr. Chairman, and thanks for this opportunity to speak to everybody today.

As you know, I am the provincial security advisor for Ontario. I began this role in January of 2017. Prior to that, I spent almost five years as a consultant to private and public organizations in the area of national security-related risks, including cyber-threats. Prior to that, I was with the Canadian Security Intelligence Service, CSIS, and left that organization in 2012 as the assistant director.

As a result of joining CSIS at its inception in 1984, I've witnessed a tremendous number of milestones that shaped Canada's security intelligence environment, more specifically in regard to the organizations that are central to Canada's threat response.

At this moment, we find ourselves yet again at the cusp of change, and obviously important change. Although the CSIS Act has been widely viewed as a model of effective security intelligence legislation, it has required renovation from time to time, perhaps not so much due to any particular failings but rather to the necessity of changing times socially, culturally, politically, and, now more than ever, technically.

Of all the elements of import in Bill C-59, it is time to consider essential changes for an organization that I did not work for but to which I maintained important operational connectivity over many years. It is time for CSE to have its own enabling legislation, as its current mandate is 16 years old.

Most critical to that transformation of mission and mandate is the area related to cyber-threats. Canada must now join the community of like-minded nations determined to resist the growing threat of globalized criminal enterprise, nation-state-directed theft of intellectual property or interference in our society, and the potential for catastrophic destruction of critical infrastructure, be it the result of fifth-dimensional warfare or terror attack. We must support and connect and keep pace with our allies, from Australia to the EU. They themselves have recognized the nature of this new 21st century threat environment.

The nations that do not support or believe in these values certainly have discovered the benefits of hybrid or fifth-domain warfare. They are extremely active in targeting our key infrastructure and our future prosperity through the theft of the best and most important intellectual property the country has to offer. They've also noted the ease and the immediate benefits of undermining our democratic processes by undermining people's trust in institutions, as well as our ability to conduct respectful and constructive dialogue.

There are a number of areas to explore in this discussion today, but first let me say that I've also been a long-serving and vocal advocate of increased accountability for the security intelligence community. The establishment of the National Security and Intelligence Committee of Parliamentarians and the National Security and Intelligence Review Agency will now meet the majority of my concerns on the need to enhance accountability and transparency across the security establishment.

However, as part of my opening proposition, let me now address more directly aspects of the threat and our need to effectively respond to that reality.

We live in unprecedented times. Never in my career, which has spanned a little over three decades, have I perceived such a set of local and global challenges, from climate change and food security to irregular migration and unprecedented numbers of refugees, as well as social and political upheaval, nuclear threats, and shifting global hegemony. Threat actors from around the globe now target Canada with ease. Conversely, Canadians with the intent to harm others or target Canadian interests abroad can now operate from far-flung regions of the world, not just from typical conflict zones.

In this security intelligence equivalency of globalization, it is critically important that CSE continue to support CSIS, the Department of National Defence, and law enforcement agencies in the pursuit of lawful investigations or mission requirements wherever threats may emerge around the world. Whether that means assisting CSIS to collect intelligence on an emerging violent extremist network targeting Canadian travellers or diplomats abroad, assisting the Canadian Forces in the protection of a deployed unit delivering training, or perhaps even helping the RCMP bring human traffickers to justice, we need to provide the best available toolsets. The tools or capabilities I'm suggesting here are ones that only our signals intelligence organizations can provide.

Equally important, and I believe critical, is that we rely on Canadian-controlled and accountable capabilities rather than on the efforts or competencies of other nations that may not share our full set of standards and intentions.

With respect to part 3 of the bill, specifically dealing with cybersecurity and information assurance, let me say that as the provincial security advisor for Ontario, I am concerned most about this area, the cyber-threat targeting our vast investments in critical infrastructure.

Outside of the protection of intellectual property from either front-door or backdoor acquisition, what is key to our current and future prosperity is the protection of life-sustaining critical infrastructure assets, be they publicly owned or in private hands. Therefore, the enhanced ability for CSE to provide assistance towards protecting our critical infrastructure is vital for Ontarians and, I dare say, for all Canadians.

I believe this to be true because we now exist in a hazardous environment where 400-plus new malware threats are produced every minute and where ransomware attacks a person somewhere in the world every 10 seconds. As localized proof, the Government of Ontario’s cybersecurity operations team manages approximately 40 billion security events per month. Yes, that's billions per month. Although we are within industry norms, over 90% of the emails the Ontario public service receives are blocked due to botnet or spam threats.

With respect to defensive cyber operations, I believe that only CSE can bring to bear the technology, know-how, and library of threat-related data necessary to build effective cybersecurity resilience so necessary in this kind of environment. From conversations I've had with private industry and with large independent agencies of government, such as those involved in energy, health care, education, and transportation, I know that all feel the effects of constant cyber-threats. In essence, we and they can no longer do this alone. It is a global threat phenomenon requiring a national-level strategy and capability.

With regard to active cyber operations, let me simply say that the best defence always begins with a good offence. When more than five dozen countries around the world are reported to be actively developing cyber-operational capabilities, in my view, we must develop offensive cybersecurity measures to respond, and on certain occasions that means beyond our borders.

Offensive cyber-tactics have been developed and are being applied by the best private security firms in the world. Engaging the so-called dark web or darknet to gather intelligence in advance of an attack and to protect systems, such as those in the financial sector, has been the norm for some time. I know that because I've worked directly in that sector. When the time comes to face a targeted attack intended to manipulate the operating systems of an energy facility to cause a malfunction or perhaps even to destroy something, as we’ve seen in cases from Ukraine to Germany and even New York State, we will need CSE to “degrade, disrupt, influence, respond to or interfere with the capabilities [or] intentions” of those threat actions or their actors.

More commonly, and as another example, the frequency and prowess of so-called denial of service attacks or DDoS events are intensifying. One day soon, I predict, CSE will be required to assist a Canadian service provider or a subnational level of government to repel a massive DDoS attack.

With the advent of the Internet of things, we’ve already seen or witnessed botnets created out of smart devices being harnessed to launch attacks of one terabyte per second against institutions typically associated with information sharing, anti-spamming facilities, social networks, human rights workers, and mainstream media. Rest assured that this will only get worse, especially when we are facing autocratic regimes around the world that have no inhibitions.

On the issue of changing times, my current role as provincial security advisor is an important example of how the world has changed and how Canada’s view of itself and how it operates must also change. Ontario is but one of 14 core jurisdictions in this country. By itself, Ontario’s economy would rank 18th in a G20 context. No doubt, like Ontario, all subnational jurisdictions are conscious of the multitude of threats that continue to adversely affect prosperity and security.

To my mind, an effectively legislated security establishment that balances security requirements with accountability, transparency, and respect for the rights of Canadians is indeed the blueprint for our future success as a nation in this increasingly tumultuous world.

Thank you.

That's the essence of our proposal here: to find a way to harness the accountability mechanism that is being proposed for all collection of Canadians' information, whether or not it hinges on this finding of a reasonable expectation of privacy. How are you ever going to get to that adjudication unless you have a mechanism? It becomes a circular argument, because what is frequently collected, in our understanding, is metadata, if not a direct interception. In our view, that is certainly one of the issues that is critical to maintaining Canadians' confidence in the proposals. Having more authorization accountability is always going to be better than having less.

Certainly Canadians are becoming increasingly alive to the sense that what constitutes incidental collection—again because of the nature of the communication networks—could very well implicate them. This is a growing awareness, I would say, in Canada, and it becomes problematic when we keep hearing.... It's fair language to say that CSE doesn't target, but the way that the actual operations occur certainly implicates Canadians' data frequently. When I say it's not insignificant collection, again this is something that Canadians are becoming increasingly alive to, so they want to see mechanisms that are robust enough to provide the kinds of assurances that would be protective of them.

Is that question related specifically to CSE...?

That's right. There are a number of aspects of data collection that are touched on. I think, in the main, depending on the kinds of collection, that introducing elements of necessity would clearly be of privacy benefit to Canadians. In terms of whether or not that's appropriate across all of the channels of data collection, we would suggest there may be some standards of variation that are nevertheless appropriate.

That said, what you're asking about retention is a very interesting piece and it's part of this sense of compounding, low-threshold authorizations. It's the point that we make about simply compounding the first mistake of having an insufficiently high threshold in the beginning by thinking we can retain this on some kind of “might prove useful” standard. This compounds the first problem, as opposed to addressing the problem, which is the fundament of what we're saying in relation to retention.

Certainly we have found, for example, the annual reports from SIRC and the CSE commissioner to be immensely valuable. If we were going to make a recommendation, over-reporting as opposed to under-reporting would absolutely be the direction we would want to go for accountability and maintaining trust.

In my time at CSIS, although now dated—it's been almost six years since I left—when I was responsible for the counterterrorism operations team, a number of charges were difficult in this even more complex choreography around intel-into-evidence. In other words, we were proceeding against certain targets that met the CSIS threshold of reason to suspect, versus then transferring some information protecting sources. Of course, Bill C-59 provides new tools to assist with that in some respects.

However, many operational opportunities were left wanting, first because we had difficulty transitioning information from intelligence into usable evidence, and secondly because, quite often, I found the perspective of crown prosecutors was always extremely cautious. As a Canadian, I think that's very important, because it adds one more check and balance, definitional things, so that we essentially have a prosecutorial system that is inclined to ensure that there is very little chance this prosecution could not proceed successfully. More often than not, cases ended up dropping below the threshold, even though perhaps in another jurisdiction—south of the border, as one example—they would have proceeded full guns.

I would say no. I am more concerned about cyber-attacks. As I explained in my opening remarks, these attacks are a direct threat to society, as well as to our current and future prosperity.

Given the nature of terrorism, such attacks have more serious effects as compared to other threats to national security. However, we haven't seen the end of Daesh. This group still has sufficient operational capacity to attack Canadians or Canadian interests here and abroad.