Public Safety committee  We are prohibited from targeting Canadians anywhere, so if there is a direct correlation, and that activity is emanating from a Canadian's communications, it's off limits. Thank you.

Public Safety committee  Looking at terrorist activity is very much a team sport in Canada. The RCMP, CSIS, CSE, as well as others each have a role, and we work together to understand what each of us is bringing with our mandates, authorities, skills, and capabilities. In this case, it may be within the services' remit to be looking at a Canadian outside of Canada who was involved in these activities.

Public Safety committee  Sure. You've referred to both the foreign intelligence mandate and the active cyber-operations aspect of the proposed authorities. I can maybe start by speaking about the foreign intelligence side. Before any activities are undertaken, there is a really robust process in place around policies and training and testing.

Public Safety committee  If you think of an active cyber-operation or a defensive cyber-operation as a plan that has been pulled together, it doesn't happen spontaneously. A lot of research and a lot of analysis have to go into getting to the point where you have an idea of what you could do online in a defensive or disruptive action.

Public Safety committee  It's a good question. As the legislation firms up and we understand what the scope is, should these authorities be granted it will be up to CSE to work with Public Safety, critical infrastructure owners, and the minister to look at where the risks are and to start designating and prioritizing, because as you point out, it will be impossible to address all of the concerns and all of the infrastructures that exist in Canada.

Public Safety committee  The bill does not refer specifically to critical infrastructure, but I think it makes reference to non-governmental systems, which are tantamount to critical infrastructure, because as you say, our global information infrastructure is made up of public and private enterprises. In that space, CSE, which is currently focused on defending and blocking activities on the government infrastructure, is limited right now to providing advice and guidance only to critical infrastructure owners in a way such that the information is available to the general public.

Public Safety committee  On our website we do have a fact sheet that outlines the measures we take to protect privacy at the moment. As technology evolves, as information evolves, we need to make sure we are staying current and are adopting more and more effective measures to protect privacy. So they are not captured in legislation, they are captured in ministerial authorizations.

Public Safety committee  I would say as well—

Public Safety committee  As my colleague has already mentioned, this is not new. CSE has to take these kinds of unknown entities and elements of information and try to flesh them out to understand exactly what we're dealing with. It could be as simple as a Google search. It could be looking or working with other databases that are out there that might help us contextualize this.

Public Safety committee  Probably the best I can do to reassure you is to say that we've had a commissioner who has reviewed CSE's activities for privacy for more than 20 years. In assessing our activities and looking for privacy concerns or lawfulness, he touches on these kinds of activities, the open source research that we do to support our activities, because a lot of our activities require this to be effective.

Public Safety committee  Yes, sir, in fact there's an explicit prohibition in the act that ensures that any active cyber operation is not used to pervert or obstruct the course of justice or democracy.

Public Safety committee  I am not an expert on all of our allies' authorities, but this generally brings us in line with the activities and the authorities that they have at their disposal, and positions us to be a coalition partner in various broader activities that go beyond a national scope.

Public Safety committee  Sure. I would preface this by saying that active cyber operations are meant to achieve an objective that the government has established, and that it's a team sport. That means we each are bringing our mandates, our authorities, and our capabilities to this table. It really is a way of working together to figure out who has the right authority to address the right issue at the right time based on their skills, their mandates, and their authorities.

Public Safety committee  Yes, critical infrastructure is included. In the legislative proposal, CSE would receive the authority to take the skills and the technology and the capabilities that have been developed to protect Government of Canada networks and to make that advice, guidance, and those services available to critical infrastructure owners if that critical infrastructure element has been designated by the minister as eligible for CSE assistance, and if that critical infrastructure element system owner has requested our assistance.

Public Safety committee  No. The active cyber operations directed at foreign entities outside of Canada require the approval of the Minister of Defence as well as the Minister of Foreign Affairs. Necessity, reasonableness, and proportionality are all factors they have to consider. They cannot be achieved by any other means, cannot cause bodily harm or death, but also cannot subvert or obstruct democracy or the course of justice.