1999-2000 Review Undertakings

During this past year, I submitted four classified reports to the Minister of National Defence. One of these reports revisited the subject of internal investigations and complaints. The remaining reports presented the results of reviews of CSE activities related to its foreign signals intelligence and information technology security mandates. All studies included an examination of the legal parameters within which CSE operates, related policies and practices, and the accountability systems and procedures in place at CSE. None revealed issues of unlawful activity.

Internal Investigations and Complaints

When I first reviewed CSE's internal investigations and complaints in 1997-98, I observed that most dealt with such issues as security infractions, and none involved unlawful activity in the delivery of CSE's mandate. This was again the case this past year. In the interim, CSE implemented many new internal security policies and initiatives to heighten security awareness. These appear to have proven effective, in that there were far fewer incidents leading to internal investigations this past year than in 1997-98.

Foreign Signals Intelligence

In reviewing CSE's signals intelligence activities this past year, I noted a continuing enhancement and updating of SIGINT policies and directives in response to the evolving communications environment. I also observed new initiatives introduced by CSE to enhance its ability to manage and account for its SIGINT-related activities.

I paid particular attention this year to examining not only what CSE collects and retains, but how CSE's intelligence holdings are generated. As a result, I was able to further my knowledge and understanding of some of the highly specialized and technical means used to minimize the likelihood that private Canadian communications would make their way into CSE's holdings. I am able to state that, as of this date, I am satisfied that, within the current technical environment, CSE is employing appropriate measures to safeguard the privacy of Canadians.

The Intelligence Cycle

In last year's report, I observed that CSE's activities are driven by its mandate to fulfil the foreign intelligence requirements established by the Government of Canada, not by the capabilities of the technology at hand.

Those requirements, in the form of foreign intelligence priorities for Canada's intelligence community, are set annually by a group of Cabinet ministers whose responsibilities touch on the country's security within Canada and abroad. The establishment of the Government of Canada's intelligence priorities is the first step in what the intelligence community calls the "intelligence cycle." It is worth examining that cycle briefly and looking at CSE's role in it.

The Government of Canada's foreign intelligence priorities form the basis of CSE's yearly SIGINT program. That is to say, these priorities are conveyed formally to CSE by the Deputy Secretary to the Cabinet, Security and Intelligence, Privy Council Office. CSE then uses these priorities to determine what information it seeks to obtain, either from its own activities or from the activities of its partner agencies in the United States, the United Kingdom, Australia, and New Zealand.

Concurrent with this, CSE must ensure that the appropriate steps are always taken to minimize the likelihood of intercepting the private communications of Canadians.

Next, CSE receives the inflow of intelligence traffic from multiple sources - its own and those of its partners. This traffic is then processed, analyzed and assessed against the government's intelligence priorities. The resulting intelligence product is disseminated to the government departments responsible for protecting Canada's security, intelligence, economic and defence interests.

Intelligence dissemination is facilitated by knowledgeable CSE staff who provide a tailored and timely intelligence delivery service to some 800 senior decision makers in government on ongoing and emerging issues. This regular contact with the users of CSE's intelligence product ensures that requirements are updated and feedback is incorporated in the production process.

The intelligence cycle provides me with one framework for reviewing CSE's activities. I can examine the lawfulness of CSE's activities at each stage of the cycle. Through this work, I keep abreast of foreign intelligence collection capabilities and practices, signals processing, signals and intelligence analysis, and the dissemination of intelligence product to CSE's clients in government.

I believe the exploding yield of information carried by global communications networks increases the need to ensure that the privacy of Canadians is protected. I continue working to identify and understand the numerous technological initiatives that support intelligence gathering. I am also increasing my understanding of how some of these initiatives are applied. Within this intelligence cycle, however, my interest remains the identification and examination of any technical applications and initiatives CSE uses to avoid, or at least minimize, the likelihood of private Canadian communications making their way into CSE's holdings.

I am able to report that CSE has undertaken initiatives to advance its technological capability to ensure the protection of private Canadian communications. CSE is aware of both my interest in this area and the importance I attach to assessing compliance. I encourage CSE's research and development initiatives in this fast-paced technological environment.

'Second Party' Collection

As noted earlier, CSE receives signals intelligence gathered by other governments. CSE also contributes intelligence it collects to other governments. These partnership arrangements - with the United States, the United Kingdom, Australia, and New Zealand - were developed during the Second World War and maintained throughout the Cold War. Signals that are provided by one country to another are described as 'second party' collection.

The governments of the countries involved in this exchange of intelligence have policies to ensure the privacy of their citizens. In particular, each government has agreed not to undertake collection on behalf of a second party that would be illegal in the second party country. In other words, they do not do indirectly what they cannot do directly.

I have made a point of developing an understanding of these collaborative relationships, focusing not only on shared policies but also on actual practices. I have sampled the documentation and had access to some of the systems that support intelligence gathering and exchange. At this time I am satisfied that CSE is taking all reasonable steps to safeguard the privacy of Canadian communications.

Information Technology Security

Over the past four years, I have focused much of my effort on CSE's SIGINT activities. However, CSE has another important role in government - its Information Technology Security (ITS) mandate: CSE advises the government on how to maintain security in its use of information technology.

This year, my Office conducted an in-depth examination of the ITS program to determine whether its activities were lawful. The study involved, first, a review of CSE's ITS authorities and mandate as provided in direction given to the Chief, CSE. This was followed by an examination of the management control framework established to govern the conduct and performance of ITS activities. Step three was an analysis of the environmental factors and changing circumstances affecting the government's security requirements. Finally, strategies, plans, operations and projects were reviewed against the template established by the preceding steps to identify issues or activities for further exploration.

No evidence of unlawful activity was found. However, the study did reveal several pertinent facts:

• The trend in government and the private sector toward increased electronic business and service delivery is radically transforming the ITS program. Whereas previously the program's focus was the protection of classified information about a small number of government clients, now it is called upon increasingly to advise on protecting unclassified but sensitive information, including the electronic business transactions that underpin many government programs and operations.
• If Canadians are to have confidence in electronic commerce and the infrastructure that makes it possible, the government must have "made-in-Canada" solutions to security concerns. CSE is well equipped to play a key role in this, but it must be given clear direction by government on this sensitive issue.
• For example, one effective means of confirming the security of information infrastructure is to attempt to penetrate the defences (e.g., to test so-called firewalls). This is called "ethical hacking." CSE does not conduct such penetrations of active systems because this could reveal personal data, with privacy implications. However, the result is that mission-critical information technology systems are not tested for the full range of threat scenarios facing those systems.

Henceforth, I will closely monitor ITS involvement in these activities to ensure they comply with prevailing constraints. I also would encourage the government to give CSE clear policy direction regarding the role it should play in ensuring the security of Canada's information infrastructure.