Canada’s Electronic Spies Unleashed

Uploaded on 2018-01-09 in NEWS-News Analysis, INTELLIGENCE--International, GOVERNMENT-National, FREE TO VIEW

Canada’s electronic spies will be limited “only by their imagination” in coming up with new cyber attacks and espionage campaigns under proposed legislation, a new report warns.

The national spy agency  Communications Security Establishment will be able to select targets and launch cyber attacks with little “meaningful” oversight, according to an analysis of Bill C-59 by the University of Toronto’s CitizenLab.

Bill C-59 “affords the CSE the ability to engage in a vast range of un-enumerated and deeply problematic activities with the potential to seriously interfere with charter-protected rights and freedoms,” the report, made public last month, reads.

Bill C-59 proposes to give CSE, for the first time in the agency’s postwar history, the explicit power to conduct cyber-attacks and sabotage against foreign states and people. Until now, the secretive agency has been limited to intelligence gathering, defending government networks, and assisting law enforcement.

The proposed powers are broad. The bill explicitly prohibits CSE from causing death or bodily harm, and from obstructing or perverting “justice or democracy.”

That leaves a very long list of permitted activities, the researchers note: 

“From mass dissemination of false information, to impersonation, leaking foreign documents in order to influence political and legal outcomes, disabling account or network access, large-scale denial of service attacks, and interference with the electricity grid, the possibilities for the types of activities contemplated in (Bill C-59) are limited only by the imagination,” the report reads.

Under the legislation, the CSE would require sign-off from both the minister of national defence and the minister of foreign affairs to launch a cyber-attack. But the offensive cyber operations would not require judicial sign off or oversight, nor would they require approval by the proposed independent Intelligence Commissioner, the report reads.

In a statement, CSE spokesperson Ryan Foreman suggested a warrant system for cyber operations may not be the best fit for the agency’s mandate.

“CSE is a foreign intelligence and cyber security organization, not a domestic security or law enforcement agency. Warrants for law enforcement ... are generally for specific targets or operations ... whereas CSE’s ministerial authorisations authorize a class of activities,” Foreman wrote, noting that the CSE is prohibited from directly targeting Canadians or people in Canada.

“However, these, and all of CSE’s activities would be subject to review” by a new parliamentary committee.
The report was prepared by CitizenLab researchers Christopher Parsons, Lex Gill and Ronald Deibert, as well as Tamir Israel, a lawyer with the Canadian Internet Policy and Public Interest Clinic, and Bill Robinson, who has long chronicled CSE’s history and activities.

In an interview with Toronto's Star on Sunday newspaper, Gill said Canada also runs the risk of normalising state-sponsored hacking and disinformation campaigns, a particular worry in North America, as the United States continues to unravel alleged Russian attempts to influence the 2016 presidential election through disinformation and hacking.

“The open question (is) whether or not affording the (CSE) these types of capabilities will contribute to Canada’s security interests or undermine them,” Gill said.
“By creating a climate which normalises these types of activities, creates a legislative framework for them, we’re accepting as Canadians that we think that these types of operations are okay. I’m not convinced that Canadians have had a robust public conversation about ... a kind of cyber warfare.”

The report compares CSE’s new cyber operations powers to the much-criticized “disruption” powers granted to another security agency, CSIS, by the Conservative administartion in 2015. 

Like the Conservatives’ Bill C-51, the Liberals’ national security bill permits CSE to take a wide array of “disruptive” activities, while explicitly prohibiting only a few limit cases. Bill C-59 is still before the House of Commons’ national security committee.

The governing Liberal party have signaled a willingness to substantially amend the legislation should issues be raised. The committee’s review will resume in early 2018.

The Toronto Star:

You Might Also Read:

Does Canada Need Its Own CIA Or MI6?:

Canada Prioritizes Cyber-Attack:

 

 

« GDPR Compliance & Personal Data Protection
Retaliation Against N Korea For WannaCry »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CUIng.org

CUIng.org

The CUIng initiative was launched to tackle the problem of criminal exploitation of information hiding techniques.

Verint Systems

Verint Systems

Verint is a leader in Actionable Intelligence with a focus on customer engagement optimisation, security intelligence, fraud, risk and compliance.

inBay Technologies

inBay Technologies

inBay Technologies' idQ Trust as a Service (TaaS) is a unique and innovative SaaS that eliminates the need for user names and passwords.

Oak Ridge National Laboratory (ORNL)

Oak Ridge National Laboratory (ORNL)

ORNL conducts basic and applied research and development in key areas of science for energy, advanced materials, supercomputing and national security including cybersecurity.

Center for Long-Term Cybersecurity (CLTC)

Center for Long-Term Cybersecurity (CLTC)

The Center for Long-Term Cybersecurity is developing and shaping cybersecurity research and practice based on a long-term vision of the internet and its future.

Cybertonica

Cybertonica

Cybertonica is a FinTech company which detects and prevents fraudulent transactions and reduces risk for financial services organisations.

Desec Security

Desec Security

Desec's training platform allows professionals around of the world to acquire knowledge and practical experience in Information Security.

Cyber Security Education

Cyber Security Education

CybersecurityEducation.org is an online directory of cyber security education and careers.

Italtel

Italtel

Italtel is a multinational ICT company that combines networks and communications services with the ability to innovate and develop solutions for digital transformation.

Point Predictive

Point Predictive

Point Predictive build Predictive Models using Artificial Intelligence and Machine Learning techniques that help our customers stop fraud and early payment default (EPD).

apiiro

apiiro

apiiro invented the industry-first Code Risk Platform™ that uses developers and code behavior analysis to accelerate delivery and automatically remediate product risk.

Cyber Range Solutions (CRS)

Cyber Range Solutions (CRS)

CRS provides cyber security training and improve security team performance by providing a hyper realistic, virtual training environment.

Accedian

Accedian

Accedian is a leader in performance analytics and end user experience solutions, dedicated to providing our customers with the ability to assure their digital infrastructure.

Iconium Software

Iconium Software

DataLenz by Iconium offers continuous and real-time tracking of your data assets delivering you the tools you need to successfully reach and maintain your target security standards.

Wavenet

Wavenet

Wavenet has grown from simple beginnings to become one of the UK’s market leaders in unified communications, business telephony, and Cyber Security solutions.

Concorde Technology Group

Concorde Technology Group

Concorde Technology Group is one of the UK’s leading IT support and services providers, delivering cost-effective and innovative IT solutions to businesses across the country.