OTTAWA — A senior official from Canada’s cyberspy agency says proposed new powers would allow it to stop a terrorist’s mobile phone from detonating a car bomb, block the ability of extremists to communicate, or prevent a foreign power from interfering in the country’s democratic process.
A Liberal bill would help the Communications Security Establishment counter various forms of cyberaggression and violent extremism, Shelly Bruce, associate chief of the CSE, told a House of Commons committee studying the legislation.
A December report by leading Canadian cybersecurity researchers said there is no clear rationale for expanding the CSE’s mandate to conduct offensive operations.
It said the scope of the planned authority is not clear, nor does the legislation require that the target of the CSE’s intervention pose some kind of meaningful threat to Canada’s security interests.
Bruce stressed the proposed legislation contains safeguards that would prohibit the agency from directing active cyberoperations at Canadians. It would also forbid the CSE from causing death or bodily harm, or wilfully obstructing justice or democracy.
The Ottawa-based CSE intercepts and analyzes foreign communications for intelligence of interest to the federal government. It is a member of the Five Eyes intelligence alliance that also includes the United States, Britain, Australia and New Zealand.
The Liberal bill provides a statutory mandate for the highly secretive agency, which traces its roots to 1946, while giving it new muscle to conduct both defensive and offensive cyberoperations.
The powers would help keep Canadians safe against global threats, including cyberthreats, in a rapidly evolving technological world, Bruce said during the committee meeting.
She provided some concrete examples of how the CSE might use its new offensive capabilities — with input from other federal officials as well as accountability measures in the new law to prevent abuse.
“Active cyberoperations are meant to achieve an objective that the government has established and that’s a team sport,” she cautioned.
Bruce said a cyberoperation could be aimed at interrupting communications of an extremist group like the Islamic State of Iraq and the Levant “in a way that would stop attack planning before things reach a crisis pitch.”
An effort might involve preventing the spread of ransomware — software that holds people’s valuable data hostage in return for payment, she said.
Or the CSE could try to corrupt data on systems abroad that had been stolen from Canadian servers, rendering it useless to the thieves.
Bruce tried to allay concerns about how the CSE would use publicly available information under the new legislation and what effect this might have on the privacy of Canadians.
CSE would carry out “basic research” from the sort of public resources available to anyone in Canada, Bruce said.
“CSE does not, and would not use publicly available information to investigate Canadians or persons in Canada, or build dossiers on them,” she said.
“That is not our mandate, and for us, mandate matters.”
The cyberspy agency would use publicly available materials to provide general background information for a foreign intelligence or cybersecurity report, to assess the nationality of a person or organization, or to consult technical manuals, Bruce said.
Under no circumstances would the agency use this provision to acquire information — such as hacked or stolen data — that was unlawfully obtained, she added.