CSE’s International Law Headache
By Craig Forcese and Leah West
Bill C-59 will give the Communications Security Establishment (CSE) several new mandates, including the authority to engage in “active cyber” operations. This blog post briefly describes this mandate and addresses an area of uncertainty: how will the government square the use of offensive cyber capabilities with Canada’s international law obligations?
Overview of Active Cyber
Under the proposed Communications Security Establishment Act, once authorized to engage in “active cyber”, CSE may “carry out activities on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.”
There are few limitations on CSE’s use of these new powers. As with CSE’s foreign intelligence collection, CSE must not direct its cyber operations at any portion of the global information infrastructure that is in Canada, at a Canadian or any person in Canada, and the operations must not infringe the Canadian Charter of Rights and Freedoms. Additionally, CSE must not “cause, intentionally or by criminal negligence, death or bodily harm to an individual” or “willfully attempt in any manner to obstruct, pervert or defeat the course of justice or democracy.”
Before conducting an active cyber operation, CSE must obtain an authorization from the Minister of National Defence, along with the approval of the Minister of Foreign Affairs. Technically, CSE is limited to a list of permitted activities set out in the Act. In reality, the enumerated activities are so vague and broadly defined that it is hard to imagine what is not captured by this list:
(a) gaining access to a portion of the global information infrastructure;
(b) installing, maintaining, copying, distributing, searching, modifying, disrupting, deleting or intercepting anything on or through the global information infrastructure;
(c) doing anything that is reasonably necessary to maintain the covert nature of the activity; and
(d) carrying out any other activity that is reasonable in the circumstances and reasonably necessary in aid of any other activity, or class of activities, authorized by the authorization.
What is more, the Minister may authorize a cyber operation (or indeed, foreign intelligence or cybersecurity activities) despite “any other Act of Parliament or of any foreign state.” This permissive clause means that a cyber operation may be carried out, even where it is known that its execution may violate Canadian and foreign legislation.
The Fly in the Ointment
Notably, however, the Act does not specify that the Minister may authorize CSE to violate international law when engaging in active cyber (or any of CSE’s other mandates). Parliament can use legislation to authorize the violation of Canada’s international legal obligations (even though doing so would not absolve Canada of state responsibility), but it must do so explicitly. Had the drafters intended to relieve CSE of its international legal obligations they could have easily done so by using the phrase “notwithstanding any other law” or “without regard to any other law." The Canadian Security Intelligence Service Act includes these phrases, the latter having been specifically added in 2015 to resolve questions of jurisdiction and the relevant provisions’ international application.
In sum, the current bill C-59 “any other Act” language is too narrow to exclude international law. This drafting is not a small omission. It means, in effect, that much of what CSE might otherwise do under its active cyber functions (and potentially its other mandates) is actually prohibited because it would likely run afoul of international law.
Exactly how crimping international law is in the cyber domain is a matter of considerable uncertainty, as discussed below. But whatever doubts exist at the margins, the definition of active cyber operations is broad enough to reach conduct that might amount to (in order of gravity): the exercise of extraterritorial enforcement jurisdiction; interference in the affairs of another state; use of force; or an armed attack. Transgressions of these thresholds would trigger Canadian state responsibility in international law and would, among other things, justify countermeasures by other states against Canada. (A countermeasure is an action otherwise unlawful but permissible when taken in response to another state’s internationally wrongful conduct. A countermeasure cannot include a use of force or derogate from certain other elemental limitations on what states can do.)
In the result, active cyber (and perhaps other CSE mandates, including even foreign intelligence) will only be possible if compliant with international law. At minimum, Canadian conduct will be likely congruent with international law when Canada itself engages in an operation as a countermeasure to the wrongful conduct of another state. But given the precise rules around the use of countermeasures, this approach would make effective cyber operations challenging.
In the result, for its own active cyber (and cybersecurity and foreign intelligence) purposes, Canada would likely prefer an interpretation of international law in which state responsibility is triggered only at relatively high degrees of intrusion. But were it to adopt this approach, it could not then complain about another state’s equivalent intrusion into Canadian systems. That hoists Canada onto the horns of on active/defensive cyber dilemma.
There is no perfect solution to these quandaries. One possibility is to follow the CSIS Act model, and simply relieve CSE of the current (automatically implied) bill C-59 domestic statutory bar on transgressing international law. Drafted properly, this would not green-light international law violations. Rather, it would leave it to the government itself to consider the implications of international law compliance, in exercising its authority over CSE conduct. Still, it is hard to find an uncontroversial way of crafting language authorizing an active cyber power reaching the range of international law implications noted above. Do we really want statutory language that opens the door to, e.g., noncompliance with international humanitarian or human rights law?
Another possibility is to relax the international stricture but retain the bar in areas where a transgression would be most egregious – for instance, CSE active cyber amounting to use of force or armed attack, absent grounds permissible in international law. This would have the added virtue of limiting CSE’s participation as part of active cyber in what might also be an armed conflict – something that, for a civilian agency would amount to unlawful direct participation in hostilities, under the international law of armed conflict. As a drafting matter, this change might be accomplished by making additions to the list of things CSE cannot do as part of its active cyber mandate. (Admittedly, this approach would not eliminate this unlawful combatancy concern in full, as CSE might still participate in armed conflict as part of its assistance mandate with the Canadian Armed Forces. For more on Leah West’s perspective on these issues read here).
This intermediate approach of relaxing the statutory bar on some, but not all, international law issues would permit the government to decide CSE should violate a lower-level international obligation. This would be concerning – and there are good reasons to be cautious about an active cyber (or other) activity that may trigger state responsibility of any sort. Many people would resist, therefore, any relaxation of the current implied ban on international law violations in bill C-59.
That said, it is important to note how murky international law is in this area. For example: as a matter of international law, can CSE legally turn off a botnet attacking Elections Canada’s servers, but operating on the servers in another state, perhaps without that state’s connivance? Under the approach taken to “enforcement jurisdiction” and sovereignty by the Federal Court in decisions related to CSIS powers, the answer would likely be “no”. However, under the approach adopted by the Tallinn Manual 2.0, or the recent UK government statement on international law in cyber space, the answer might be “yes”. How will CSE’s review body – the National Security and Intelligence Review Agency – assess the international law rules, and by extension CSE’s legislative competence? How will the Intelligence Commissioner – who under C-59 must approve ministerial authorizations for foreign intelligence and cybersecurity activities – rule on the matter? And if the Intelligence Commissioner’s decision is judicially reviewed, would the Federal Court apply its current, constraining view of “enforcement jurisdiction”? It is possible there will be a cacophony of different views, creating the bane of all national security law: uncertainty. If there is doubt whether CSE has the statutory power to do something, the result will likely be inaction; inaction that could put Canadian security or infrastructure at risk.
The question is, therefore, whether C-59 should continue to make compliance with (often uncertain) international law a prerequisite to CSE’s statutory powers, or leave these international law compliance questions to the executive. This question is likely academic. At this juncture, few changes to the bill are likely, especially on such a complicated and technical issue.
At the very least, therefore, Canada should issue a clear statement about the reach of international law to cyber space, following the path of states like the United Kingdom, Germany, the Netherlands, Australia and the United States. This would lay a marker for determining where international law applies, where it does not, and where, by extension, CSE has statutory competence to act.