Canada’s Electronic Spies Unleashed

Canada’s electronic spies will be limited “only by their imagination” in coming up with new cyber attacks and espionage campaigns under proposed legislation, a new report warns.

The national spy agency  Communications Security Establishment will be able to select targets and launch cyber attacks with little “meaningful” oversight, according to an analysis of Bill C-59 by the University of Toronto’s CitizenLab.

Bill C-59 “affords the CSE the ability to engage in a vast range of un-enumerated and deeply problematic activities with the potential to seriously interfere with charter-protected rights and freedoms,” the report, made public last month, reads.

Bill C-59 proposes to give CSE, for the first time in the agency’s postwar history, the explicit power to conduct cyber-attacks and sabotage against foreign states and people. Until now, the secretive agency has been limited to intelligence gathering, defending government networks, and assisting law enforcement.

The proposed powers are broad. The bill explicitly prohibits CSE from causing death or bodily harm, and from obstructing or perverting “justice or democracy.”

That leaves a very long list of permitted activities, the researchers note: 

“From mass dissemination of false information, to impersonation, leaking foreign documents in order to influence political and legal outcomes, disabling account or network access, large-scale denial of service attacks, and interference with the electricity grid, the possibilities for the types of activities contemplated in (Bill C-59) are limited only by the imagination,” the report reads.

Under the legislation, the CSE would require sign-off from both the minister of national defence and the minister of foreign affairs to launch a cyber-attack. But the offensive cyber operations would not require judicial sign off or oversight, nor would they require approval by the proposed independent Intelligence Commissioner, the report reads.

In a statement, CSE spokesperson Ryan Foreman suggested a warrant system for cyber operations may not be the best fit for the agency’s mandate.

“CSE is a foreign intelligence and cyber security organization, not a domestic security or law enforcement agency. Warrants for law enforcement ... are generally for specific targets or operations ... whereas CSE’s ministerial authorisations authorize a class of activities,” Foreman wrote, noting that the CSE is prohibited from directly targeting Canadians or people in Canada.

“However, these, and all of CSE’s activities would be subject to review” by a new parliamentary committee.
The report was prepared by CitizenLab researchers Christopher Parsons, Lex Gill and Ronald Deibert, as well as Tamir Israel, a lawyer with the Canadian Internet Policy and Public Interest Clinic, and Bill Robinson, who has long chronicled CSE’s history and activities.

In an interview with Toronto's Star on Sunday newspaper, Gill said Canada also runs the risk of normalising state-sponsored hacking and disinformation campaigns, a particular worry in North America, as the United States continues to unravel alleged Russian attempts to influence the 2016 presidential election through disinformation and hacking.

“The open question (is) whether or not affording the (CSE) these types of capabilities will contribute to Canada’s security interests or undermine them,” Gill said.
“By creating a climate which normalises these types of activities, creates a legislative framework for them, we’re accepting as Canadians that we think that these types of operations are okay. I’m not convinced that Canadians have had a robust public conversation about ... a kind of cyber warfare.”

The report compares CSE’s new cyber operations powers to the much-criticized “disruption” powers granted to another security agency, CSIS, by the Conservative administartion in 2015. 

Like the Conservatives’ Bill C-51, the Liberals’ national security bill permits CSE to take a wide array of “disruptive” activities, while explicitly prohibiting only a few limit cases. Bill C-59 is still before the House of Commons’ national security committee.

The governing Liberal party have signaled a willingness to substantially amend the legislation should issues be raised. The committee’s review will resume in early 2018.

The Toronto Star:

You Might Also Read:

Does Canada Need Its Own CIA Or MI6?:

Canada Prioritizes Cyber-Attack:

 

 

« GDPR Compliance & Personal Data Protection
Retaliation Against N Korea For WannaCry »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ON-DEMAND WEBINAR: How to improve your security posture with a web application firewall (WAF)

ON-DEMAND WEBINAR: How to improve your security posture with a web application firewall (WAF)

Watch this webinar to discover how a WAF goes beyond a standard firewall and helps you meet security industry compliance.

Exclusive Networks

Exclusive Networks

Exclusive Networks accelerate market entry and growth for innovative cybersecurity, networking and infrastructure technologies.

Singapore Cybersecurity Consortium

Singapore Cybersecurity Consortium

Singapore Cybersecurity Consortium was created to encourage use-inspired research, training and technology awareness in cybersecurity.

Cato Networks

Cato Networks

Cato connects your branch locations, physical and cloud datacenters, and mobile users into a secure and optimized global network in the cloud.

Cobwebs Technologies

Cobwebs Technologies

Cobwebs Technologies provide web intelligence solutions for Law Enforcement (including cybercrime), Intelligence Agencies and Federal Agencies.

ManTech International

ManTech International

ManTech provides comprehensive, integrated cyber security support, which includes computer and network design, implementation, and operations.

OpenFlowSec.org

OpenFlowSec.org

OpenFlowSec is developing OpenFlow security solutions to address security challenges posed by the Software Defined Networking paradigm.

CERT-IS

CERT-IS

CERT-IS is the national Computer Emergency Response Team for Iceland.

inBay Technologies

inBay Technologies

inBay Technologies' idQ Trust as a Service (TaaS) is a unique and innovative SaaS that eliminates the need for user names and passwords.

Abusix

Abusix

Abusix specializes in Internet security, network abuse handling, antispam and fraud prevention.

Dermalog Identification Systems

Dermalog Identification Systems

Dermalog Identification Systems is a pioneer in biometry and the largest German manufacturer of biometric devices and systems.

ISA Security Compliance Institute (ISCI)

ISA Security Compliance Institute (ISCI)

ISCI, a not-for-profit automation controls industry consortium, manages the ISASecure™ conformance certification program for industrial automation and control systems.

Cybrella

Cybrella

Cybrella offers professional cybersecurity services for small to medium sized businesses and to larger enterprises looking to expand their cybersecurity capabilities.

Certihash

Certihash

Certihash have developed the world’s first blockchain empowered suite of information security tools based on the NIST cybersecurity framework.

Clarabot Nano

Clarabot Nano

Nano is the secure file sharing tool to improve content search, data access and collaboration between multiple parties.

AdronH

AdronH

AdronH is a company of Cyber Security consultants. We support companies and public institutions with their digital transformation to new and secure business platforms.

AWARE7

AWARE7

IT security for human and machine. With the help of our products and services, we work with you to increase the IT security level of your organization.