Intelligence watchdog questions cyber agency's approach to international law, CSE insists it was above board

One of Canada's intelligence watchdogs has scolded the country's cyber security agency over its approach to international law.

The National Security and Intelligence Review Agency reviewed the Communications Security Establishment's activities in 2019, the first year after it receivednew powers. While the review was completed in 2020, its report was made public only this week.

The CSE insistsit never violated international lawand is callingthe matter a "philosophical" disagreement with its oversight body.

"CSE, because we are the ones who dealwith foreign cyber operations, did not violate international law. We did not even come close to violating international law,"Nabih Eldebs, CSE deputy chief of authorities, compliance and transparency, toldCBC News.

"This was not in our ethos, this was not in our thinking."

CSE clearedto launch attacks

CSE is empowered to gather foreign signals intelligence and defend Canada's national security, including government of Canada servers and networks. It also has a growing role in protectingCanada's critical infrastructure, such as banks, telecommunications and the energy industry.

To do all that, the agency wasgranted the ability in 2018 with ministerial consent to launch "active cyber operations" to disrupt threats from terrorist groups, hostile intelligence agencies and state-sponsored hackers.

As an example of what this power allows it to do,CSEsays it can prevent a foreign terrorist group from communicating or planning attacks by disabling their communication devices.

In its report,NSIRA wrote that when it asked CSE to explain its legal obligations when launching suchoperations, the agency'sresponse was lacking.

"CSE has not sufficiently examined its obligations under international law," said the intelligence review body in its heavily redacted report.

Eldebssaid the federal government was still developing its official stance on cyberspace and international lawas CSE was beginning to launch these operations.

"These were our new foray into foreign cyber operations," he said.

"I think, in my belief, it was a philosophical disagreement on the approach to international law between both organizations, not the importance of international law."

The government of Canada released a public statement on international law applicable to cyber space in 2021.Eldebs said the CSE now uses that statement as a guiding principle.

Had that public statement been available earlier, Eldebs said, it might have avoided thedisagreement between CSE and NSIRA.

"I would think so," he said.

Risk of retaliation

WhileCSE won't share details of the active operations it hasrunin other countries, the disagreement between the two bodies calls attention to how Canada behaves in the cyber world.

"International law applies to what we do in cyberspace, just like it applies to anything we would do if we were sending troops over to engage in an offensive operation," said Leah West, a professor of national security law at Carleton University.

"International law governs how states can engage in other states. And there'll be questions about whether or not CSE's actions or Canada's actions violate the other states' sovereignty, violate the principle of non-intervention."

The stakes are high, she added, given the opportunity for retaliation.

"Once you violate international law, states potentially have a right to respond to your violations," said West.

The NSIRA report also looked at CSE's other activities, including actions it took to protect Canadian infrastructure.

While case details are almost entirely redacted, the report does say that in 2019,CSE "observed strong evidence that a foreign-state sponsored actor had significantly compromised a Canadian company."

The company's name was redacted but the report said its infrastructure "is considered a system of importance to the government of Canada."

NSIRA's concerns aboutCSE's approach to international lawpromptedit to launchfollowup reviews of the agency'soperations.

Those reports have yet to be made public.Eldebs said they "didn't find anything in relation to compliance."