Testimony: Professor Leah West on Bill C-59 in Senate

29 April 2019

SECD Committee

Senate of Canada

Thank you very much. I would like to address the Communications Security Establishment Act.

Foreign Cyber Operations

I strongly believe that this legislation is necessary and should become law. That said, I am concerned about the effectiveness and scope of the CSE’s new cyber operations mandates. Specifically, its “Active Cyber” mandate defined in section 19 of the Act.

Under this mandate the Establishment may:

carry out activities on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.

At first, the scope of what this definition authorizes appears remarkable: it encompasses acts as benign as changing the content of an ISIS supporter’s tweet, to taking down the entire electrical grid of an enemy state capital.

However, before conducting a foreign cyber operation (be it active of defensive), CSE must obtain an authorization from the Minister of National Defence.[1] The Minister may authorize a cyber operation despite “any other Act of Parliament or of any foreign state.”[2] This clause means that CSE may carry out a cyber operation if its execution violates Canadian and foreign law. The current Act does not permit CSE to violate international law when engaging in cyber operations.

Why is this important?

CSE may only target its operations at non-Canadians in foreign countries. Yet, under international law, Canada may not exercise its power in the territory of another state or intervene in the internal affairs and foreign relations of another state. If we think back to the definition of active cyber operations, it is hard to conceive of an example that would not violate these international legal rules. Under a strict interpretation of international law, merely hacking a foreign server may be a violation of the target state’s sovereignty. While there is debate about this issue amongst the international community, there is strong agreement that hacking leading to a loss of functionality or physical damage to foreign cyberinfrastructure would violate a state’s territorial integrity.  

What does this mean for CSE?

There are only three instances where CSE can employ an active cyber operation and comply with the proposed Act. First, with the consent of the host state; second, as a lawful countermeasure; and third, in an armed conflict. Each of these circumstances raises additional concerns.

1.     Host State Consent

Consent might be an option if CSE were looking to direct a cyber operation against a non-state threat like a terrorist organization if Canada was partnering with the host state to disrupt that threat. It would, however, be wholly ineffective if the threat CSE is looking to affect is the host state itself.

Consent would not be a viable approach to counter, as an example, foreign interference in the upcoming federal election.

2.     Countermeasures

Countermeasures are a form of self- help. A state can engage in an activity that would otherwise violate international law to induce another state to comply with its international obligations. To lawfully employ a countermeasure, Canada would first have to demand that the bad-actor state change its unlawful behaviour, notify the offending state that Canada will be taking countermeasures and offer to negotiate.

Because of these constraints, relying on this exception is of limited use if Canada’s intent is to engage in covert cyber activities.

3.     Armed Conflict

CSE could use its active cyber mandate during an armed conflict to which Canada is a party. Any cyber operation would have to comply with the law of armed conflict and could put CSE civilians at risk. This is because, as participants in hostilities, CSE employees would become lawful targets, meaning hostile forces could target and kill them in Canada or anywhere else they operate.  

Recommendations 

Changing the language of s. 29 and s. 30 of the Act from “despite any other Act of Parliament or of any foreign state” to “notwithstanding any other law” would give the Government more flexibility.

However, this amendment without more would open the door too wide. I certainly do not want to see the Act amended in a way that authorizes CSE to engage in cyber operations that violate international humanitarian law or the prohibition against the use of force.

For this reason, I recommend that the Act also be amended to explicitly prevent CSE from engaging in operations that rise to the level of a use of force and participating in an armed conflict under their cyber operation mandate.  

Importantly, this change would permit the Minister to authorize CSE cyber operation that violate lower-level international obligations. But, it would also lessen the associated risks to Canadians and Canadian foreign relations, while at the same time increasing the government’s legal capacity to employ offensive and defensive tools in cyberspace.

Thank you for your time. I look forward to answering your questions.

[1]                Ibid, s 30(2)

[2]                Ibid, s 29(1), s 30(1).