Spy watchdog warns of ‘significant legal risks’ if cyberops breach international law

OTTAWA — Canada’s electronic spy agency needs to clearly spell out how its operations in cyberspace comply with international law, says a new watchdog report.

The National Security and Intelligence Review Agency report sheds light on the little-known workings of the Communications Security Establishment’s defensive and active cyberoperations.

The CSE Act, which took effect in August 2019, gave the Ottawa-based cyberspy agency the authority to conduct such activities.

Defensive cyberoperations aim to derail foreign online threats before they reach vital federal government systems or networks, notes a heavily redacted version of the watchdog’s top secret report, made public Tuesday.

Active cyberops could allow the government to use the CSE’s sophisticated technical know-how to disable communication devices used by a foreign terrorist network to plan attacks.

The spy watchdog notes that international law in cyberspace is a developing area, and recognizes that Canada and other states are continuing to develop and refine their legal analysis in this field.

But it adds that cyberoperations conducted without a thorough and documented assessment of compliance with international law “would create significant legal risks for Canada” if an operation violated global legal standards. 

The CSE and Global Affairs Canada “have not sufficiently developed a clear and objective framework” with which to assess Canada’s obligations under international law in relation to cyberoperations, the report says. 

It recommends the two agencies provide an assessment of the global legal regime applicable to such operations. 

In addition, the CSE should require Global Affairs to conduct and document a thorough legal assessment of each operation’s compliance with international law, the report says.

A government response released along with the report says that since the review wrapped up, Global Affairs and the CSE have continued to develop the process for assessing the international legal implications of cyberoperations, with Global Affairs lawyers “documenting a thorough legal assessment of each operation’s compliance with international law.”

The issue was among “several gaps” the watchdog had identified during the review.

The CSE Act states that cyberoperations cannot be directed at Canadians, or any person in Canada, and cannot infringe the Charter of Rights and Freedoms. In addition, operations must be conducted under an authorization issued by the defence minister.

Overall, the intelligence review agency found the CSE and Global Affairs had done considerable work to build the governance structure for cyberoperations.

But it concluded that some aspects “can be improved by making them more transparent and clear.”

Among the report’s other findings:

— Ministerial authorization applications did not provide sufficient detail for the minister to appreciate the scope of the classes of activities being requested in the authorization;

 — the governance framework did not include a mechanism to confirm an active cyberoperation’s alignment with broader federal strategic priorities, as required by the CSE Act and the ministerial authorization;

— and employees working directly on cyberoperations may not have the requisite understanding of the specifics of the CSE’s new legal authorities and parameters surrounding their use. 

The government response says the CSE is proceeding cautiously to ensure all activities are carried out in accordance with the law, and in line with Canada’s international obligations — in particular those highlighted in a recently published statement on the application of international law in cyberspace. 

This report by The Canadian Press was first published April 30, 2024.

Jim Bronskill, The Canadian Press