Since its creation, the Communications Security Establishment (CSE), the national agency that provides Canada’s government with information technology security as well as foreign signals intelligence, has struggled to embrace transparency.
In recent years, the CSE has been called out for failing to provide its oversight body with relevant information and for circumventing its mandate not to spy on Canadians or people in Canada. It also currently has one of the worst response rates with access to information requests among federal institutions, closing less than one in seven requests within legislated timelines. Last year, when I requested records pertaining to the CSE’s potential purchase of spyware and intrusion software from third-party vendors or service providers, the agency did not bother to respond; it issued a can’t-confirm-can’t-deny response.
A proposed new cybersecurity law, Bill C-26, will soon make evading transparency even easier. Having passed through the House of Commons after a two-year period, the bill is now undergoing its final stages of review in the Senate.
Although Bill C-26 represents a much-needed and important reform in some respects, as currently drafted it has many transparency problems. For example, it would give the federal government the authority — likely emanating from the CSE — to issue secretive “cyber security directions” to certain businesses in select critical sectors. Companies that receive such directives would be “prohibited from disclosing, or allowing to be disclosed, the fact that a cyber security direction was issued.” Those companies receiving such directions would be able to “disclose the fact that the direction was issued and its content only to the extent necessary to comply with the direction.”
In other words, the law would permit nearly complete secrecy when issuing cybersecurity directions to certain businesses; once received, those directions would almost never be subject to public disclosure. And they would not be subject to prior authorization or review before they were issued.
This diverges markedly from the thrust of the CSE’s enabling legislation, which seeks to impose greater accountability over certain conduct through prior authorization and review obligations. For example, under that enabling legislation, when the CSE’s spying activities contravene federal law or interfere with the reasonable expectation of privacy of individuals in Canada, the agency must obtain approval from the Office of the Intelligence Commissioner. Last year, the Commissioner fully granted half of such requests (three out of six). The cybersecurity direction powers in Bill C-26 are subject to no similar kind of review.
Notably, these powers would do nothing to stop many of the types of malicious cyber activities that our elected officials are currently examining in Parliament. The law would not apply to the recent cyberattack on a company that provides emergency travel health insurance for public service employees abroad, for example. Nor would it apply to the data breach of a relocation and moving company that provides services to members of the Royal Canadian Mounted Police (RCMP) and the Canadian Armed Forces. By design, such entities would not be covered by the new law.
Further, Bill C-26 makes no explicit reference to ransomware — the cyberthreat most frequently reported to the RCMP through its online crime reporting tool. Last year, the average payment to a Canadian company in response to a ransomware attack was approximately $1.1 million. This legislative silence contrasts with the American approach, which requires the reporting of ransom payments from providers of critical infrastructure.
That is information the CSE could use to further some of its more positive achievements. For example, its increasing issuance of pre-ransomware notifications to Canadian and Canada’s international partners’ businesses has created goodwill with the private sector. The same is true of the agency’s recent lead in taking down an unnamed ransomware actor.
The CSE is famous for its various sensors that can detect and deter malicious cyber activity. But while the federal government has rushed to create new powers to issue secretive cyber directions to various private businesses, it has done nothing to make the installation of CSE’s sensors mandatory in the 50 federal organizations that, as of March 2024, have yet to install at least one. The National Security and Intelligence Committee of Parliamentarians asked the federal government to redress this security deficit in 2022.
The scope of Bill C-26’s secretive powers is all the more concerning when we consider that the federal government has not yet enacted concrete legislation on privacy, data protection, or its use of artificial intelligence technologies. Instead, a proliferation of non-binding governmental “directives” and “guiding principles” have been to left to cover some of these areas when it comes to the government’s own conduct. But they are all without meaningful sanctions for non-compliance.
When it comes to Bill C-26, political leaders of all stripes would do well to heed the current warnings of the Citizen Lab at the University of Toronto, which has an impressive track record of defending Canadians’ online security. The Citizen Lab recently warned that Bill C-26 would “only make people in Canada more vulnerable to malicious threats to the privacy and security of all network users, including Canada’s most senior officials.”
At its core, Bill C-26 as currently drafted promotes a security policy based on secrecy — an approach highly unlikely to engender goodwill from businesses or public confidence in our democratic institutions. As an institution that remains reluctant to answer basic questions about its conduct, including its use of surveillance technology, the CSE needs more transparency, not less. On this front, Bill C-26 is a step in the wrong direction.