Canada’s Electronic Spies Unleashed

Canada’s electronic spies will be limited “only by their imagination” in coming up with new cyber attacks and espionage campaigns under proposed legislation, a new report warns.

The national spy agency  Communications Security Establishment will be able to select targets and launch cyber attacks with little “meaningful” oversight, according to an analysis of Bill C-59 by the University of Toronto’s CitizenLab.

Bill C-59 “affords the CSE the ability to engage in a vast range of un-enumerated and deeply problematic activities with the potential to seriously interfere with charter-protected rights and freedoms,” the report, made public last month, reads.

Bill C-59 proposes to give CSE, for the first time in the agency’s postwar history, the explicit power to conduct cyber-attacks and sabotage against foreign states and people. Until now, the secretive agency has been limited to intelligence gathering, defending government networks, and assisting law enforcement.

The proposed powers are broad. The bill explicitly prohibits CSE from causing death or bodily harm, and from obstructing or perverting “justice or democracy.”

That leaves a very long list of permitted activities, the researchers note: 

“From mass dissemination of false information, to impersonation, leaking foreign documents in order to influence political and legal outcomes, disabling account or network access, large-scale denial of service attacks, and interference with the electricity grid, the possibilities for the types of activities contemplated in (Bill C-59) are limited only by the imagination,” the report reads.

Under the legislation, the CSE would require sign-off from both the minister of national defence and the minister of foreign affairs to launch a cyber-attack. But the offensive cyber operations would not require judicial sign off or oversight, nor would they require approval by the proposed independent Intelligence Commissioner, the report reads.

In a statement, CSE spokesperson Ryan Foreman suggested a warrant system for cyber operations may not be the best fit for the agency’s mandate.

“CSE is a foreign intelligence and cyber security organization, not a domestic security or law enforcement agency. Warrants for law enforcement ... are generally for specific targets or operations ... whereas CSE’s ministerial authorisations authorize a class of activities,” Foreman wrote, noting that the CSE is prohibited from directly targeting Canadians or people in Canada.

“However, these, and all of CSE’s activities would be subject to review” by a new parliamentary committee.
The report was prepared by CitizenLab researchers Christopher Parsons, Lex Gill and Ronald Deibert, as well as Tamir Israel, a lawyer with the Canadian Internet Policy and Public Interest Clinic, and Bill Robinson, who has long chronicled CSE’s history and activities.

In an interview with Toronto's Star on Sunday newspaper, Gill said Canada also runs the risk of normalising state-sponsored hacking and disinformation campaigns, a particular worry in North America, as the United States continues to unravel alleged Russian attempts to influence the 2016 presidential election through disinformation and hacking.

“The open question (is) whether or not affording the (CSE) these types of capabilities will contribute to Canada’s security interests or undermine them,” Gill said.
“By creating a climate which normalises these types of activities, creates a legislative framework for them, we’re accepting as Canadians that we think that these types of operations are okay. I’m not convinced that Canadians have had a robust public conversation about ... a kind of cyber warfare.”

The report compares CSE’s new cyber operations powers to the much-criticized “disruption” powers granted to another security agency, CSIS, by the Conservative administartion in 2015. 

Like the Conservatives’ Bill C-51, the Liberals’ national security bill permits CSE to take a wide array of “disruptive” activities, while explicitly prohibiting only a few limit cases. Bill C-59 is still before the House of Commons’ national security committee.

The governing Liberal party have signaled a willingness to substantially amend the legislation should issues be raised. The committee’s review will resume in early 2018.

The Toronto Star:

You Might Also Read:

Does Canada Need Its Own CIA Or MI6?:

Canada Prioritizes Cyber-Attack:

 

 

« GDPR Compliance & Personal Data Protection
Retaliation Against N Korea For WannaCry »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Cyber Data-Risk Managers

Cyber Data-Risk Managers

Cyber Data-Risk Managers Pty Ltd is an insurance broker based in Melbourne, Australia specializing in Cyber insurance / Data breach insurance.

International Association for Cryptologic Research (IACR)

International Association for Cryptologic Research (IACR)

(IACR is a non-profit scientific organization whose purpose is to further research in cryptology and related fields.

Joe Security

Joe Security

Joe Security specializes in the development of automated malware analysis systems for malware detection and forensics.

CERT-PA

CERT-PA

CERT-PA is the national Computer Emergency Response Team for Italian government institutions.

ThreatAdvice

ThreatAdvice

ThreatAdvice is a provider of cybersecurity education, awareness and threat intelligence.

SynerLeap

SynerLeap

SynerLeap is ABB's innovation growth hub. Our aim is to help startups accelerate and expand across industries, ranging from industrial automation and robotics to grid technologies and smart cities.

Cyberspace Solarium Commission (CSC)

Cyberspace Solarium Commission (CSC)

The Cyberspace Solarium Commission was established to develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.

Marlabs

Marlabs

Marlabs is a Digital Technology Solutions company that helps companies adopt digital transformation using a comprehensive framework including Digital Automation, Enterprise Analytics and Security.

Vumetric Cybersecurity

Vumetric Cybersecurity

Vumetric is an ISO9001 certified company offering penetration testing, IT security audits and specialized cybersecurity services.

Cythereal

Cythereal

Cythereal is the leader in predicting and preventing advanced malware attacks. Security Automation for the Overwhelmed Administrator.

ExchangeDefender

ExchangeDefender

ExchangeDefender provides cybersecurity services that secures your company email and data, and guarantees 24/7 email access.

Cloudflare

Cloudflare

Cloudflare is a global network designed to make everything you connect to the Internet secure, private, fast, and reliable.

National Cybersecurity Agency (ACN) - Italy

National Cybersecurity Agency (ACN) - Italy

The ACN is the National Authority for Cybersecurity in Italy. the Agency promotes public-private initiatives to strengthen the national cybersecurity and resilience posture.

CYGNVS

CYGNVS

CYGNVS is a guided cyber crisis response platform providing anytime, anyplace access. A SaaS platform for cyber crisis management – a safe way to connect and control your response.

Deloitte Denmark

Deloitte Denmark

Swift incident management, worldwide support, and advanced defense strategies ensure comprehensive recovery and enterprise security with our IR service.

InterSources

InterSources

InterSources is a trusted partner, leading the way in Cloud Security, Cybersecurity, PLG Consulting, Digital Transformation, and Professional Services.